Change / Update SSL certificate for Amazon Elastic Load Balancer

There is a new card about how to do this with the new AWS Command Line Interface

At first you need the IAM Cli Tools Show archive.org snapshot .

On Ubuntu you can easy install it with sudo apt-get install iamcli.

Otherwise, you can install it manually:

• download and unzip the IAM Cli Tools Show archive.org snapshot
• you have to set this environment variable before you can use IAMCli-Tools: export AWS_IAM_HOME=/home/foobar/Downloads/IAMCli-1.2.0/ (version may vary)

After installing IAMCli-Tools you have to create an aws-credential (e.g. aws-credential.txt) file like this:

AWSAccessKeyId=AWS access ID
AWSSecretKey=AWS secret key

According to amazon there must be given the following data:

You can either use the AWS Accounts access keys and they can be found at http://aws.amazon.com under Account->Security Credentials or you can use the access keys of a user created with IA

Now you can try to list your available certificates:

Open a terminal (if you don't have yet) and set the JAVA_HOME environment variable: export JAVA_HOME=/usr

iam-servercertlistbypath --aws-credential-file ./aws-credential.txt

If you've installed it manually you have to give the full path:

/home/foobar/Downloads/IAMCli-1.2.0/bin/iam-servercertlistbypath --aws-credential-file ./aws-credential.txt

The output should look something like this:

arn:aws:iam::322191361670:server-certificate/www.example.com
arn:aws:iam::322191361670:server-certificate/testCert

Now you have to upload the new certificate :

(if you don't have a ca-bundle you can omit the -c www.example.com.ca-bundle)

iam-servercertupload --aws-credential-file ./aws-credential.txt -b www.example.com.crt -k www.example.com.key -c www.example.com.ca-bundle -s www.example.com-2011 -v

The output should look like this and includes the server certificate Amazon Resource Name (ARN) and GUID:

arn:aws:iam::322191361670:server-certificate/www.example.com-2011
ASCACexampleKEZUQ4K

If you got the error message similar to A client error (MalformedCertificate) occurred: Invalid Private Key. please look at this card to see how to fix it.

Before you can activate you uploaded certificate you need to install the ElasticLoadBalancing Tools.

At the moment there is no ubuntu package available so you have to do this manually.

• download and unzip the ElasticLoadBalancing Tools Show archive.org snapshot
• you have to set this environment variable before you can use ElasticLoadBalancing Tools (version may vary):

export AWS_ELB_HOME=/home/foobar/Downloads/ElasticLoadBalancing-1.0.14.3

Now you can activate your certificate:

You need the name from your Elastic Load Balancer, the region and the certificates ARN

/home/foobar/Downloads/ElasticLoadBalancing-1.0.14.3/bin/elb-set-lb-listener-ssl-cert lb-name --aws-credential-file ./aws-credential.txt --region eu-west-1 --lb-port 443 --cert-id arn:aws:iam::322191361670:server-certificate/www.example.com-2011