Update an HTTPS listener for your Application Load Balancer - Elastic Load Balancing
Replace the default certificateAdd certificates to the certificate listRemove certificates from the certificate listUpdate the security policy

Update an HTTPS listener for your Application Load Balancer

After you create an HTTPS listener, you can replace the default certificate, update the certificate list, or replace the security policy.

Replace the default certificate

You can replace the default certificate for your listener using the following procedure. For more information, see SSL certificates.

New EC2 experience
To change the default certificate using the console

  1. Open the Amazon EC2 console at https://console.aws.amazon.com/ec2/.

  2. On the navigation pane, choose Load Balancers.

  3. Select the load balancer.

  4. On the Listeners and rules tab, choose the text in the Protocol:Port column to open the detail page for the listener.

  5. On the Certificates tab, choose Change default.

  6. Within the ACM and IAM certificates table, select a new default certificate.

  7. Choose Save as default.

Old EC2 experience
To change the default certificate using the console

  1. Open the Amazon EC2 console at https://console.aws.amazon.com/ec2/.

  2. On the navigation pane, choose Load Balancers.

  3. Select the load balancer.

  4. On the Listeners tab, select the text in the Protocol:Port column to open the detail page for the listener.

  5. On the Certificates tab, choose Change default.

  6. For ACM and IAM certificates, select a certificate.

  7. Choose Save as default.
To change the default certificate using the AWS CLI

Use the modify-listener command.

Add certificates to the certificate list

You can add certificates to the certificate list for your listener using the following procedure. When you first create an HTTPS listener, the certificate list is empty. You can add one or more certificates. You can optionally add the default certificate to ensure that this certificate is used with the SNI protocol even if it is replaced as the default certificate. For more information, see SSL certificates.

New EC2 experience
To change the default certificate using the console

  1. Open the Amazon EC2 console at https://console.aws.amazon.com/ec2/.

  2. On the navigation pane, choose Load Balancers.

  3. Select the load balancer.

  4. On the Listeners and rules tab, choose the text in the Protocol:Port column to open the detail page for the listener.

  5. On the Certificates tab, choose Add certificate.

  6. Within the ACM and IAM certificates table, select the certificates to add and choose Include as pending below.

  7. If you have a certificate that isn't managed by ACM or IAM, choose Import certificate, complete the form, and choose Import.

  8. Choose Add pending certificates.

Old EC2 experience
To add certificates to the certificate list using the console

  1. Open the Amazon EC2 console at https://console.aws.amazon.com/ec2/.

  2. On the navigation pane, choose Load Balancers.

  3. Select the load balancer.

  4. On the Listeners tab, select the text in the Protocol:Port column to open the detail page for the listener.

  5. On the Certificates tab, choose Add certificate.

  6. For ACM and IAM certificates, select the certificates and choose Include as pending below.

  7. If you have a certificate that isn't managed by ACM or IAM, choose Import certificate, complete the form, and choose Import.

  8. Choose Add pending certificates.
To add a certificate to the certificate list using the AWS CLI

Use the add-listener-certificates command.

Remove certificates from the certificate list

You can remove certificates from the certificate list for an HTTPS listener using the following procedure. To remove the default certificate for an HTTPS listener, see Replace the default certificate.

New EC2 experience
To remove certificates from the certificate list using the console

  1. Open the Amazon EC2 console at https://console.aws.amazon.com/ec2/.

  2. On the navigation pane, choose Load Balancers.

  3. Select the load balancer.

  4. On the Listeners and rules tab, select the text in the Protocol:Port column to open the detail page for the listener.

  5. On the Certificates tab, select the check boxes for the certificates and choose Remove.

  6. When prompted for confirmation, enter confirm and choose Remove.

Old EC2 experience
To remove certificates from the certificate list using the console

  1. Open the Amazon EC2 console at https://console.aws.amazon.com/ec2/.

  2. On the navigation pane, choose Load Balancers.

  3. Select the load balancer.

  4. On the Listeners tab, select the text in the Protocol:Port column to open the detail page for the listener.

  5. On the Certificates tab, select the check boxes for the certificates and choose Remove.

  6. When prompted for confirmation, enter confirm and choose Remove.
To remove a certificate from the certificate list using the AWS CLI

Use the remove-listener-certificates command.

Update the security policy

When you create an HTTPS listener, you can select the security policy that meets your needs. When a new security policy is added, you can update your HTTPS listener to use the new security policy. Application Load Balancers do not support custom security policies. For more information, see Security policies.

Using FIPS policies on your Application Load Balancer:

All secure listeners attached to an Application Load Balancer must use either FIPS security policies or non-FIPS security policies; they cannot be mixed. If an existing Application Load Balancer has two or more listeners using non-FIPS policies and you want the listeners to use FIPS security policies instead, remove all listeners until there is only one. Change the security policy of the listener to FIPS and then create additional listeners using FIPS security policies. Alternatively, you can create a new Application Load Balancer with new listeners using only FIPS security policies.

New EC2 experience
To update the security policy using the console

  1. Open the Amazon EC2 console at https://console.aws.amazon.com/ec2/.

  2. On the navigation pane, choose Load Balancers.

  3. Select the load balancer.

  4. On the Listeners and rules tab, select the text in the Protocol:Port column to open the detail page for the listener.

  5. On the Details page, choose Actions, then Edit listener.

  6. In the Secure listener settings section, under Security policy, choose a new security policy.

  7. Choose Save changes.

Old EC2 experience
To update the security policy using the console

  1. Open the Amazon EC2 console at https://console.aws.amazon.com/ec2/.

  2. On the navigation pane, choose Load Balancers.

  3. Select the load balancer.

  4. On the Listeners tab, select the text in the Protocol:Port column to open the detail page for the listener.

  5. On the Details tab, choose Edit.

  6. For Security policy, choose a security policy.

  7. Choose Save changes.
To update the security policy using the AWS CLI

Use the modify-listener command.