Updating an Expiring Load Balancer Certificate

Update an expiring SSL certificate for a load balancer.

To ensure consistent service, you must update (rotate) expiring certificates. This process consists of the performing the tasks:

  • Uploading the new SSL certificate bundle to the load balancer.

  • Editing the applicable listeners and backend sets so they use the new certificate bundle.

  • Optionally remove the expiring SSL certificate bundle.

Using the Console

  1. Update your client or backend server to work with a new certificate bundle.
    Note

    The steps to update your client or backend server are unique to your system.

  2. Upload the new SSL certificate bundle to the load balancer:
    1. On the Load balancers list page, find the load balancer that you want to work with. If you need help finding the list page or the load balancer, see Listing Load Balancers.

    2. On the load balancer's details page, select Load balancer certificates.

    3. Select Add certificate.

    4. Enter the following information:

      • Certificate name: Enter a friendly name for the certificate bundle. It must be unique within the load balancer, and it can't be changed in the Console. (It can be changed using the API.)

      • Choose SSL certificate file: Drag the certificate file, in PEM format, into the SSL certificate field.

        You can also choose the Paste SSL certificate option to paste a certificate directly into this field.

        Important

        If you submit a self-signed certificate for backend SSL, you must submit the same certificate in the corresponding CA Certificate field.

      • Specify CA certificate: (Recommended for backend SSL termination configurations.) Select to provide a CA certificate.

        • Choose CA certificate file: Drag the CA certificate file, in PEM format, into the CA certificate field.

          You can also choose the Paste CA certificate option to paste a certificate directly into this field.

      • Specify private key: (Required for SSL termination.) Select to provide a private key for the certificate.

        • Choose private key file: Drag the private key, in PEM format, into the Private key field.

          You can also choose the Paste private key option to paste a private key directly into this field.

        • Enter private key passphrase: (Optional) Specify the private key passphrase.

    5. Click Add certificate. Next, edit each applicable listeners or backend sets (as needed) so they use the new certificate bundle:

  3. Edit the listener:
    1. On the load balancer's details page, select Listeners.

    2. From the Actions menu for the listener, select Edit.

    3. In the Certificate name list, select the new certificate bundle.

    4. Click Save changes.

  4. Edit the backend set:
    Important

    Updating the backend set temporarily interrupts traffic and can drop active connections.

    1. On the load balancer's details page, select Backend sets.

    2. From the Actions menu for the backend set you want, select Edit.

    3. On the backend set's details page, select Use SSL.

    4. In the Certificate name list, select the new certificate bundle.

    5. Click Save changes.

  5. (Optional) Remove the expiring SSL certificate bundle.
    Note

    You can't delete an SSL certificate bundle that's associated with a listener or backend set. Remove the bundle from any other listeners or backend sets before deleting.

    1. On the load balancer's details page, select Load balancer certificates.

    2. From the Actions menu for the certificate you want, select Delete.

    3. When prompted, confirm the deletion.