Elastic Load Balancing
Developer Guide

Update the SSL Certificate for Your Load Balancer

If you are using the HTTPS/SSL protocol for your listeners, you might have an SSL server certificate installed on your load balancer. Your SSL certificate comes with a validity period. You must replace the certificate before its validity period ends. To replace a certificate, you must first create a new certificate by following the same steps you used when you created the current certificate. For more information about creating an SSL certificate and uploading it, see SSL Certificates for Elastic Load Balancing.

The following examples show you how to update an SSL certificate. Note that the change does not affect requests that were received by a load balancer node and are pending routing to a healthy instance, but the updated certificate will be used with new requests that are received.


Verify that your certificate meets the prerequisites.

Updating an SSL Certificate Using the Console

To update an SSL certificate for an HTTPS load balancer

  1. Open the Amazon EC2 console at

  2. In the navigation pane, under LOAD BALANCING, click Load Balancers.

  3. Select your load balancer.

  4. In the Listeners tab, click Change in the SSL Certificate column for the certificate.

  5. In the Select Certificate dialog box, do one of the following:

    • If you have already uploaded an SSL certificate using IAM, select Choose an existing SSL Certificates, select the certificate from Certificate Name, and then click Save.

    • If you have an SSL certificate to upload, select Upload a new SSL Certificate. Enter a name for the certificate, copy the required information to the form, and then click Save. Note that the certificate chain is not required if the certificate is a self-signed certificate.

    Update SSL Certificate

Updating an SSL Certificate Using the AWS CLI

To update an SSL certificate for an HTTPS load balancer

  1. If you have an SSL certificate but have not uploaded it, complete the instructions described in Upload the Signed Certificate.

  2. Use the following get-server-certificate command to get the ARN of the certificate:

    aws iam get-server-certificate --server-certificate-name my-new-certificate
  3. Use the following set-load-balancer-listener-ssl-certificate command to set the certificate:

    aws elb set-load-balancer-listener-ssl-certificate --load-balancer-name my-loadbalancer --load-balancer-port 443 --ssl-certificate-id arn:aws:iam::123456789012:server-certificate/my-new-certificate