Update an SSL Certificate for a Load Balancer
If you are using HTTPS/SSL protocol for your listeners, you might have an SSL server certificate installed on your load balancer. Your SSL certificate comes with a validity period. You must replace the certificate before its validity period ends. To replace the certificate you must first create a new certificate by following the same steps you used when you created your certificate for the first time. For information on creating a new SSL certificate, see SSL Certificate for Elastic Load Balancing.
Before you install your SSL certificate on your load balancer, you must upload your SSL certificate to IAM. To do so, you can use the Elastic Load Balancing wizard from the Amazon EC2 console, the upload-server-certificate AWS CLI command, or the UploadServerCertificate IAM action.
The following examples show you how to update an SSL certificate.
Examples
- Updating an SSL Certificate Using the AWS Management Console
- Updating an SSL Certificate Using the AWS CLI
To update an SSL certificate for an HTTPS load balancer
-
Open the Amazon EC2 console at https://console.aws.amazon.com/ec2/.
-
In the navigation pane, under NETWORK & SECURITY, click Load Balancers.
-
Select your load balancer.
-
In the bottom pane, select the Listeners tab.
-
In the Listeners pane, click Change in the SSL Certificate column of the certificate you want to update.
-
On the Select Certificate page, select Choose from an existing SSL Certificates if you have already uploaded your SSL certificate using IAM. Click the Certificate Name: dialog box and select your certificate. Click Save.
-
Or, select Upload a new SSL Certificate if you have an SSL certificate and want to upload it.
Before you upload, ensure that your certificate meets the criteria described in Upload the Signed Certificate
If your certificate does not meet the criteria listed in this step, you might get an error when you upload it. Create a new SSL certificate and upload the certificate using AWS Identity and Access Management (IAM). For instructions on creating and uploading the SSL certificate, see SSL Certificate for Elastic Load Balancing.
Step through the following instructions to continue uploading your SSL certificate.
-
Enter the name of the certificate to upload.
-
Copy and paste the contents of the private key file (PEM-encoded) in the Private Key box.
Note
The private key cannot be retrieved after you are finished uploading it.
-
Copy and paste the contents of the public key certificate file (PEM-encoded) in the Public Key Certificate box.
-
You can skip this step if you are using a self-signed certificate and it's not important that browsers implicitly accept the certificate.
If you are not using self-signed certificate, copy and paste the contents of the public key certificate chain file (PEM-encoded) in the Certificate Chain box.
Note
The certificate chain must be ordered such that the root certificate is the last certificate in the chain. If you use a certificate chain in a different order, you will receive an error.
-
-
Click Save.
To update an SSL certificate for an HTTPS load balancer
-
If you have an SSL certificate and have uploaded it using the AWS Identity and Access Management (IAM), use the AWS CLI command get-server-certificate to get the ARN of the certificate, and then go to step 3.
-
If you have an SSL certificate and want to upload it, step through the instructions described in Upload the Signed Certificate.
-
Enter the set-load-balancer-listener-ssl-certificate command and specify the load balancer port of an HTTPS listener, as in the following example.
aws elb set-load-balancer-listener-ssl-certificate --load-balancer-name my-test-loadbalancer --load-balancer-port 443 --ssl-certificate-id arn:aws:iam::012345678901:server-certificate/production/newCert