Update a TLS listener for your Network Load Balancer
After you create a TLS listener, you can replace the default certificate, add or remove certificates from the certificate list, update the security policy, or update the ALPN policy.
Tasks
Replace the default certificate
You can replace the default certificate for your TLS listener using the following procedure. For more information, see Default certificate.
To replace the default certificate using the console
Open the Amazon EC2 console at https://console.amazonaws.cn/ec2/
. -
On the navigation pane, choose Load Balancers.
-
Choose the name of the load balancer to open its detail page.
-
On the Listeners tab, choose the text in the Protocol:Port column to open the detail page for the listener.
-
For Default SSL certificate, do one of the following:
-
If you created or imported a certificate using Amazon Certificate Manager, choose From ACM and choose the certificate.
-
If you uploaded a certificate using IAM, choose From IAM and choose the certificate.
-
-
Choose Save changes.
To replace the default certificate using the Amazon CLI
Use the modify-listener command with the --certificates option.
Add certificates to the certificate list
You can add certificates to the certificate list for your listener using the following procedure. When you first create a TLS listener, the certificate list is empty. You can add one or more certificates. You can optionally add the default certificate to ensure that this certificate is used with the SNI protocol even if it is replaced as the default certificate. For more information, see Certificate list.
To add certificates to the certificate list using the console
Open the Amazon EC2 console at https://console.amazonaws.cn/ec2/
. -
In the navigation pane, choose Load Balancers.
-
Choose the name of the load balancer to open its detail page.
-
On the Listeners tab, choose the text in the Protocol:Port column to open the detail page for the listener.
-
Select the check box for the listener and choose Actions, Add SSL certificates for SNI.
-
To add certificates that are already managed by ACM or IAM, select the check boxes for the certificates and choose Include as pending below.
-
If you have a certificate that isn't managed by ACM or IAM, choose Import certificate, complete the form, and choose Import.
-
Choose Add pending certificates.
To add a certificate to the certificate list using the Amazon CLI
Use the add-listener-certificates command.
Remove certificates from the certificate list
You can remove certificates from the certificate list for a TLS listener using the following procedure. To remove the default certificate for a TLS listener, see Replace the default certificate.
To remove certificates from the certificate list using the console
Open the Amazon EC2 console at https://console.amazonaws.cn/ec2/
. -
In the navigation pane, choose Load Balancers.
-
Choose the name of the load balancer to open its detail page.
-
On the Listeners tab, choose the text in the Protocol:Port column to open the detail page for the listener.
-
Select the check box for the listener and choose Actions, Add SSL certificates for SNI.
-
Select the check boxes for the certificates and choose Remove.
-
When prompted for confirmation, enter
confirm
and choose Remove.
To remove a certificate from the certificate list using the Amazon CLI
Use the remove-listener-certificates command.
Update the security policy
When you create a TLS listener, you can select the security policy that meets your needs. When a new security policy is added, you can update your TLS listener to use the new security policy. Network Load Balancers do not support custom security policies. For more information, see Security policies for your Network Load Balancer.
To update the security policy using the console
Open the Amazon EC2 console at https://console.amazonaws.cn/ec2/
. -
In the navigation pane, choose Load Balancers.
-
Choose the name of the load balancer to open its detail page.
-
On the Listeners tab, choose the text in the Protocol:Port column to open the detail page for the listener.
-
Choose Edit.
-
For Security policy, choose a security policy.
-
Choose Save changes.
To update the security policy using the Amazon CLI
Use the modify-listener command with the --ssl-policy option.
Update the ALPN policy
You can update the ALPN policy for your TLS listener using the following procedure. For more information, see ALPN policies.
To update the ALPN policy using the console
Open the Amazon EC2 console at https://console.amazonaws.cn/ec2/
. -
In the navigation pane, choose Load Balancers.
-
Choose the name of the load balancer to open its detail page.
-
On the Listeners tab, choose the text in the Protocol:Port column to open the detail page for the listener.
-
Choose Edit.
-
For ALPN policy, choose a policy to enable ALPN or choose None to disable ALPN.
-
Choose Save changes.
To update the ALPN policy using the Amazon CLI
Use the modify-listener command with the --alpn-policy option.