Update an HTTPS listener for your Application Load Balancer
After you create an HTTPS listener, you can replace the default certificate, update the certificate list, or replace the security policy.
Tasks
Replace the default certificate
You can replace the default certificate for your listener using the following procedure. For more information, see SSL certificates.
To change the default certificate using the console
-
Open the Amazon EC2 console at https://console.aws.amazon.com/ec2/
. -
On the navigation pane, choose Load Balancers.
-
Select the load balancer.
-
On the Listeners tab, select the text in the Protocol:Port column to open the detail page for the listener.
-
On the Certificates tab, choose Change default.
-
For ACM and IAM certificates, select a certificate.
-
Choose Save as default.
To change the default certificate using the AWS CLI
Use the modify-listener command.
Add certificates to the certificate list
You can add certificates to the certificate list for your listener using the following procedure. When you first create an HTTPS listener, the certificate list is empty. You can add one or more certificates. You can optionally add the default certificate to ensure that this certificate is used with the SNI protocol even if it is replaced as the default certificate. For more information, see SSL certificates.
To add certificates to the certificate list using the console
-
Open the Amazon EC2 console at https://console.aws.amazon.com/ec2/
. -
On the navigation pane, choose Load Balancers.
-
Select the load balancer.
-
On the Listeners tab, select the text in the Protocol:Port column to open the detail page for the listener.
-
On the Certificates tab, choose Add certificate.
-
For ACM and IAM certificates, select the certificates and choose Include as pending below.
-
If you have a certificate that isn't managed by ACM or IAM, choose Import certificate, complete the form, and choose Import.
-
Choose Add pending certificates.
To add a certificate to the certificate list using the AWS CLI
Use the add-listener-certificates command.
Remove certificates from the certificate list
You can remove certificates from the certificate list for an HTTPS listener using the following procedure. To remove the default certificate for an HTTPS listener, see Replace the default certificate.
To remove certificates from the certificate list using the console
-
Open the Amazon EC2 console at https://console.aws.amazon.com/ec2/
. -
On the navigation pane, choose Load Balancers.
-
Select the load balancer.
-
On the Listeners tab, select the text in the Protocol:Port column to open the detail page for the listener.
-
On the Certificates tab, select the check boxes for the certificates and choose Remove.
-
When prompted for confirmation, enter
confirm
and choose Remove.
To remove a certificate from the certificate list using the AWS CLI
Use the remove-listener-certificates command.
Update the security policy
When you create an HTTPS listener, you can select the security policy that meets your needs. When a new security policy is added, you can update your HTTPS listener to use the new security policy. Application Load Balancers do not support custom security policies. For more information, see Security policies.
To update the security policy using the console
-
Open the Amazon EC2 console at https://console.aws.amazon.com/ec2/
. -
On the navigation pane, choose Load Balancers.
-
Select the load balancer.
-
On the Listeners tab, select the text in the Protocol:Port column to open the detail page for the listener.
-
On the Details tab, choose Edit.
-
For Security policy, choose a security policy.
-
Choose Save changes.
To update the security policy using the AWS CLI
Use the modify-listener command.