Update a TLS listener for your Network Load Balancer - Elastic Load Balancing
Services or capabilities described in Amazon Web Services documentation might vary by Region. To see the differences applicable to the China Regions, see Getting Started with Amazon Web Services in China (PDF).

Update a TLS listener for your Network Load Balancer

After you create a TLS listener, you can replace the default certificate, add or remove certificates from the certificate list, update the security policy, or update the ALPN policy.

Replace the default certificate

You can replace the default certificate for your TLS listener using the following procedure. For more information, see Default certificate.

To replace the default certificate using the console
  1. Open the Amazon EC2 console at https://console.amazonaws.cn/ec2/.

  2. On the navigation pane, choose Load Balancers.

  3. Choose the name of the load balancer to open its detail page.

  4. On the Listeners tab, choose the text in the Protocol:Port column to open the detail page for the listener.

  5. For Default SSL certificate, do one of the following:

    • If you created or imported a certificate using Amazon Certificate Manager, choose From ACM and choose the certificate.

    • If you uploaded a certificate using IAM, choose From IAM and choose the certificate.

  6. Choose Save changes.

To replace the default certificate using the Amazon CLI

Use the modify-listener command with the --certificates option.

Add certificates to the certificate list

You can add certificates to the certificate list for your listener using the following procedure. When you first create a TLS listener, the certificate list is empty. You can add one or more certificates. You can optionally add the default certificate to ensure that this certificate is used with the SNI protocol even if it is replaced as the default certificate. For more information, see Certificate list.

To add certificates to the certificate list using the console
  1. Open the Amazon EC2 console at https://console.amazonaws.cn/ec2/.

  2. In the navigation pane, choose Load Balancers.

  3. Choose the name of the load balancer to open its detail page.

  4. On the Listeners tab, choose the text in the Protocol:Port column to open the detail page for the listener.

  5. Select the check box for the listener and choose Actions, Add SSL certificates for SNI.

  6. To add certificates that are already managed by ACM or IAM, select the check boxes for the certificates and choose Include as pending below.

  7. If you have a certificate that isn't managed by ACM or IAM, choose Import certificate, complete the form, and choose Import.

  8. Choose Add pending certificates.

To add a certificate to the certificate list using the Amazon CLI

Use the add-listener-certificates command.

Remove certificates from the certificate list

You can remove certificates from the certificate list for a TLS listener using the following procedure. To remove the default certificate for a TLS listener, see Replace the default certificate.

To remove certificates from the certificate list using the console
  1. Open the Amazon EC2 console at https://console.amazonaws.cn/ec2/.

  2. In the navigation pane, choose Load Balancers.

  3. Choose the name of the load balancer to open its detail page.

  4. On the Listeners tab, choose the text in the Protocol:Port column to open the detail page for the listener.

  5. Select the check box for the listener and choose Actions, Add SSL certificates for SNI.

  6. Select the check boxes for the certificates and choose Remove.

  7. When prompted for confirmation, enter confirm and choose Remove.

To remove a certificate from the certificate list using the Amazon CLI

Use the remove-listener-certificates command.

Update the security policy

When you create a TLS listener, you can select the security policy that meets your needs. When a new security policy is added, you can update your TLS listener to use the new security policy. Network Load Balancers do not support custom security policies. For more information, see Security policies for your Network Load Balancer.

To update the security policy using the console
  1. Open the Amazon EC2 console at https://console.amazonaws.cn/ec2/.

  2. In the navigation pane, choose Load Balancers.

  3. Choose the name of the load balancer to open its detail page.

  4. On the Listeners tab, choose the text in the Protocol:Port column to open the detail page for the listener.

  5. Choose Edit.

  6. For Security policy, choose a security policy.

  7. Choose Save changes.

To update the security policy using the Amazon CLI

Use the modify-listener command with the --ssl-policy option.

Update the ALPN policy

You can update the ALPN policy for your TLS listener using the following procedure. For more information, see ALPN policies.

To update the ALPN policy using the console
  1. Open the Amazon EC2 console at https://console.amazonaws.cn/ec2/.

  2. In the navigation pane, choose Load Balancers.

  3. Choose the name of the load balancer to open its detail page.

  4. On the Listeners tab, choose the text in the Protocol:Port column to open the detail page for the listener.

  5. Choose Edit.

  6. For ALPN policy, choose a policy to enable ALPN or choose None to disable ALPN.

  7. Choose Save changes.

To update the ALPN policy using the Amazon CLI

Use the modify-listener command with the --alpn-policy option.