Services or capabilities described in Amazon Web Services documentation might vary by Region. To see the differences applicable to the China Regions,
see Getting Started with Amazon Web Services in China
(PDF).
Replace the SSL certificate for your Classic Load Balancer
If you have an HTTPS listener, you deployed an SSL server certificate on your load
balancer when you created the listener. Each certificate comes with a validity period.
You must ensure that you renew or replace the certificate before its validity period
ends.
Certificates provided by Amazon Certificate Manager and deployed on your load balancer can be renewed
automatically. ACM attempts to renew certificates before they expire. For more
information, see Managed renewal in
the Amazon Certificate Manager User Guide. If you imported a certificate into ACM, you
must monitor the expiration date of the certificate and renew it before it expires. For
more information, see Importing
certificates in the Amazon Certificate Manager User Guide. After a certificate
that is deployed on a load balancer is renewed, new requests use the renewed
certificate.
To replace a certificate, you must first create a new certificate by following the
same steps that you used when you created the current certificate. Then, you can replace
the certificate. After a certificate that is deployed on a load balancer is replaced,
new requests use the new certificate.
Note that renewing or replacing a certificate does not affect requests that were
already received by a load balancer node and are pending routing to a healthy
target.
Replace the SSL certificate using the
console
You can replace the certificate deployed on your load balancer with a certificate
provided by ACM or a certificate uploaded to IAM.
- New EC2 experience
-
To replace the SSL certificate for an HTTPS load balancer
Open the Amazon EC2 console at
https://console.amazonaws.cn/ec2/.
-
On the navigation pane, under Load Balancing, choose
Load Balancers.
-
Choose the name of the load balancer to open its detail page.
-
On the Listeners tab, choose Manage listeners.
-
On the Manage listeners page, locate the listener to be updated, choose Edit under Default SSL cert and do one of the
following:
-
If you created or imported a certificate using Amazon Certificate Manager, choose
From ACM, select the certificate from
the list, and then choose
Save changes.
This option is available only in Regions that support
Amazon Certificate Manager.
-
If you imported a certificate using IAM, choose From IAM,
select the certificate from from the list, and
then choose Save changes.
-
If you have an SSL certificate to import to ACM, select Import
and To ACM. In Certificate private key, copy and paste
the contents of the PEM-encoded private key file. In
Certificate body, copy and paste the
contents of the PEM-encoded public key certificate file. In
Certificate chain - optional, copy and paste the
contents of the PEM-encoded certificate chain file, unless you are
using a self-signed certificate and it's not important that browsers
implicitly accept the certificate.
-
If you have an SSL certificate to import but ACM is not
supported in this Region, select Import and To IAM.
In Certificate name type the name of
the certificate. In Certificate private key, copy and paste
the contents of the PEM-encoded private key file. In
Certificate body, copy and paste the
contents of the PEM-encoded public key certificate file. In
Certificate chain - optional, copy and paste the
contents of the PEM-encoded certificate chain file, unless you are
using a self-signed certificate and it's not important that browsers
implicitly accept the certificate.
-
Choose Save changes.
- Old EC2 experience
-
To replace the SSL certificate for an HTTPS load balancer
-
Open the Amazon EC2 console at
https://console.amazonaws.cn/ec2/.
-
On the navigation pane, under Load Balancing, choose
Load Balancers.
-
Select your load balancer.
-
On the Listeners tab, for SSL
Certificate, choose Change.
-
On the Select Certificate page, do one of the
following:
-
If you created or imported a certificate using Amazon Certificate Manager, select
Choose an existing certificate from Amazon Certificate Manager
(ACM), select the certificate from
Certificate, and then choose
Save.
-
If you imported a certificate using IAM, select Choose
an existing certificate from Amazon Identity and Access Management (IAM), select the certificate from
Certificate, and then choose
Save.
-
If you have a certificate to import but ACM is not supported in
the Region, select Upload a new SSL Certificate to
Amazon Identity and Access Management (IAM). Type a name for the certificate,
copy the required information to the form, and then choose
Save. Note that the certificate chain is
not required if the certificate is a self-signed certificate.
Replace the SSL certificate using the
Amazon CLI
You can replace the certificate deployed on your load balancer with a certificate
provided by ACM or a certificate uploaded to IAM.
To replace an SSL certificate with a certificate provided by ACM
-
Use the following request-certificate command to request a new
certificate:
aws acm request-certificate --domain-name www.example.com
-
Use the following set-load-balancer-listener-ssl-certificate command to set the
certificate:
aws elb set-load-balancer-listener-ssl-certificate --load-balancer-name my-load-balancer
--load-balancer-port 443 --ssl-certificate-id arn:aws-cn:acm:region
:123456789012
:certificate/12345678-1234-1234-1234-123456789012
To replace an SSL certificate with a certificate uploaded to IAM
-
If you have an SSL certificate but have not uploaded it, see Uploading a server certificate in the
IAM User Guide.
-
Use the following get-server-certificate command to get the ARN of the
certificate:
aws iam get-server-certificate --server-certificate-name my-new-certificate
-
Use the following set-load-balancer-listener-ssl-certificate command to set the
certificate:
aws elb set-load-balancer-listener-ssl-certificate --load-balancer-name my-load-balancer
--load-balancer-port 443 --ssl-certificate-id arn:aws-cn:iam::123456789012
:server-certificate/my-new-certificate