Menu
Elastic Load Balancing
Application Load Balancers

Update Server Certificates

When you create a secure listener, you specify a default certificate. You can also create a certificate list for the listener by adding additional certificates.

Each certificate comes with a validity period. You must ensure that you renew or replace the certificate before its validity period ends. Renewing or replacing a certificate does not affect in-flight requests that were received by the load balancer node and are pending routing to a healthy target. After a certificate is renewed, new requests use the renewed certificate. After a certificate is replaced, new requests use the new certificate.

You can manage certificate renewal and replacement as follows:

  • Certificates provided by AWS Certificate Manager and deployed on your load balancer can be renewed automatically. ACM attempts to renew certificates before they expire. For more information, see Managed Renewal in the AWS Certificate Manager User Guide.

  • If you imported a certificate into ACM, you must monitor the expiration date of the certificate and renew it before it expires. For more information, see Importing Certificates in the AWS Certificate Manager User Guide.

  • If you imported a certificate into IAM, you must create a new certificate, import the new certificate to ACM or IAM, add the new certificate to your load balancer, and remove the expired certificate from your load balancer.

Add Certificates

You can add certificates to the certificate list for your listener using the following procedure. The default certificate for a listener is not added to the certificate list by default, but you can add the default certificate to the certificate list.

To add certificates using the console

  1. Open the Amazon EC2 console at https://console.aws.amazon.com/ec2/.

  2. On the navigation pane, under LOAD BALANCING, choose Load Balancers.

  3. Select the load balancer and choose Listeners.

  4. For the secure listener to update, choose View/edit certificates, which displays the default certificate followed by any other certificates that you've added to the listener.

  5. Choose the Add certificates icon (the plus sign) in the menu bar, which displays the default certificate followed by any other certificates managed by ACM and IAM. If you've already added a certificate to the listener, its checkbox is selected and disabled.

  6. To add certificates that are already managed by ACM or IAM, select the certificates and choose Add.

  7. If you have a certificate that isn't managed by ACM or IAM, import it to ACM and add it to your listener as follows:

    1. Choose Import certificate.

    2. For Certificate private key, paste the PEM-encoded, unencrypted private key for the certificate.

    3. For Certificate body, paste the PEM-encoded certificate.

    4. (Optional) For Certificate chain, paste the PEM-encoded certificate chain.

    5. Choose Import. The newly imported certificate appears in the list of available certificates and is selected.

    6. Choose Add.

  8. To leave this screen, choose the Back to the load balancer icon (the back button) in the menu bar.

To add a certificate using the AWS CLI

Use the add-listener-certificate command.

Replace the Default Certificate

You can replace the default certificate for your listener using the following procedure.

To change the default certificate using the console

  1. Open the Amazon EC2 console at https://console.aws.amazon.com/ec2/.

  2. On the navigation pane, under LOAD BALANCING, choose Load Balancers.

  3. Select the load balancer and choose Listeners.

  4. Select the listener and choose Actions, Edit.

  5. For Select default certificate, do one of the following:

    • If you created or imported a certificate using AWS Certificate Manager, select Choose an existing certificate from AWS Certificate Manager (ACM), and then select the certificate from Certificate name.

    • If you uploaded a certificate using IAM, select Choose an existing certificate from AWS Identity and Access Management (IAM), and then select the certificate from Certificate name.

  6. Choose Save.

To change the default certificate using the AWS CLI

Use the modify-listener command.

Remove Certificates

You can remove the nondefault certificates for a secure listener at any time. You cannot remove the default certificate for a secure listener using this procedure.

To remove certificates using the console

  1. Open the Amazon EC2 console at https://console.aws.amazon.com/ec2/.

  2. On the navigation pane, under LOAD BALANCING, choose Load Balancers.

  3. Select the load balancer and choose Listeners.

  4. For the secure listener to update, choose View/edit certificates, which displays the default certificate followed by any other certificates that you've added to the listener.

  5. Choose the Remove certificates icon (the minus sign) in the menu bar.

  6. Select the certificates and choose Remove.

  7. To leave this screen, choose the Back to the load balancer icon (the back button) in the menu bar.

To remove a certificate using the AWS CLI

Use the remove-listener-certificate command.