Replace SSL Certificate on AWS ELB Live Site in 8 Steps with Zero Downtime

I have used these steps for creating, ordering, and installing SSL certificates onto an AWS Elastic Load Balancer instance.
Bookmark the following link so you can get the latest tools from AWS in case the direct links below grow stale:

  1. Generate CSR using a 2048 bit (minimum) key put link to Blog here that describes steps.
    **** NOTE: Use the instructions at the following link to create an environment using OpenSSL
    at the following link ( )
    … so that you will have your key already in .pem format that is expected
    by the Amazon ELB toolkit that is used to upload the key and ssl certs via the command line.
  2. Submit CSR to 3rd party SSL certificate vendor.
  3. Download the X.509 version of both the server certificate (common name being protected) and the
    “Intermediate Roots” bundle.
    *** NOTE:  If at the time of upload you get the following error:

    400 MalformedCertificate Invalid Public Key Certificate.

    … a trick to fix this rather ambiguous error is to swap the order of Root CA cert bodies
    contained within the Root and Intermediate Root CA bundle file.

  4. Set up your IAM and ELB Toolkit environment
    Download the IAM toolkit here:
    Follow these instructions to set up the IAM toolkit environment:
    **** NOTE: Here is the AWS documentation on how to set up an IAM environment that allows an admin to delegate fine grained controls via IAM:
    **** DISCLAIMER:  I did not delve too much into the instrux at the above link since I was under a tight deadline and had already obtained credentials with enough power to carry out the task at hand.

    ( I used an ubuntu VM because I was having issues
    with time sychronization between clocks on the instances at AWS and the clock on the machine I was using
    as my IAM and ELB toolkit machine (the ubuntu VM).  The error message I was getting as I was attempting to upload
    the SSL certificate via the ELB command line tool stated the following:

    “400 RequestExpired Request timestamp is too skewed.”

    And since I could not successfully force the clock to match the UTC sync time on the destination server at Amazon (GMT-0) using the VM that I originally started to use at HMH wdcdvlw01 – a HyperV VM running CentOS – I was able to modify the clock sync to match on Ubuntu with one simple command as such:

    sudo dpkg -reconfigure tzdata

    … and then selecting GMT-0 as the locale. )

  5. Download the ELB toolkit from here:
    *** NOTE, if the above link is not available, please go to the bookmark suggestion for AWS Tools at the top of this page.

    Set up your environment variables for the AWS ELB Tools (and the IAM tools) to look similar to the env variables I had specified in my .bashrc file:
    export PATH
    export JAVA_HOME=/usr
    export LD_LIBRARY_PATH
    export AWS_IAM_HOME=<PATH>/IAMCli-1.2.0
    export PATH=$AWS_IAM_HOME/bin:$PATH
    export AWS_ELB_HOME=<PATH>/ElasticLoadBalancing-
    export AWS_CREDENTIAL_FILE=<PATH>/account-key

  6. I had put each set of tools at the following base path (yours can be anywhere you want):
    Here are some links that describe how to set up the ELB environment if you want some official external references for this topic:
  7. Download your server cert, and its accompanying Root and Intermediate Root CAs from your SSL cert vendor.
    Follow steps 4 and 5 on the following link containing instructions for unencrypting the key file and removing the passphrase.  I did attempt to upload an encrypted key and the error asked
    explicitly that I upload an unencrypted key instead.

    OK, now that you have your certs ready and environment variables all set for both toolkits needed for this excercise (IAM and ELB), then the following tasks are what I used as a guide for what I had to do for getting the LB listening on port 443 and for uploading the SSL cert and its key and CA roots.

  8.  Upload SSL Cert, key, and Roots CA bundle
    In a nutshell, here is the command I had to run to do this step:

    user@ubuntu:~$ iam-servercertupload -b new-ssl.cer -c ssl-revoked.cer -k  ssl.key -p <PATH>  -s <ELB-Domain-Name>  –aws-credential-file account-key -v

    And the following two lines are the output from the above command:
    arn:aws:iam::ACCOUNT:server-certificate/<PATH>/<ELB-Domain-Name> ACCOUNT-STRING-ID

    Add a listener for port 443 onto the existing LB that only has a listener for port 80:
    baltieri@ubuntu:~$ elb-create-lb-listeners ELB-Name –listener “lb-port=443, instance-port=80, protocol=https, cert-id=arn:aws:iam::ACCOUNT:server-certificate/<PATH>/ELB-Domain-Name”

    And below is the expected output
    OK-Creating LoadBalancer Listener

    Here is the link that I used to formulate the above command:
    When you look at the page at the above link, you will notice a section that looks like the following:

    –listener “lb-port=80,instance-port=80,protocol=http”
    –listener “lb-port=443,instance-port=80,protocol=https,cert-id=YOUR_ARN_VALUE”

    Since I had an LB already listening on port 80, I omitted the first –listener switch provided in the above example and thus used simply:
    –listener “lb-port=443,instance-port=80,protocol=https,cert-id=YOUR_ARN_VALUE”

    **** NOTE1:  The command is supposed to be all on one line.  Its broken down to multiple lines for legibility.
    **** NOTE2:  The ARN_VALUE in this case was the entire string as follows from output in step 8a. above:

Can you name all 50 states in under 5 minutes?


In 4m 53s


Click here to Play

My Rescue Time Chart for 2013

What makes Android so special?

Now that Apple’s misstep with maps in iOS 6 obviates Google Maps as best in its class, what has Google done on Android / mobile with its dominance of local search?

Other than this fact, what makes Android any better / more exciting than iPhone?

Oracle is now my friend

Thank you Oracle (Roger and Justin Kestelyn) for getting back to me on my complaint regarding an issue I describe as “not being able to unpack the self extracting binary JDKs from the Oracle download link” below:

Here is the error after downloading this self extracting binary file named “

For inquiries please contact: Sun Microsystems, Inc., 4150
Network Circle, Santa  Clara, California 95054, U.S.A.

Do you agree to the above license terms? [yes or no]
The download file appears to be corrupted.  Please refer
to the Troubleshooting section of the Installation
Instructions on the download page for more information.
Please do not attempt to install this archive file.

UPDATE:  A UNIX Engineer at my company has solved the problem for me, though I still cannot unpack using his instrux yet in case I need to do this again in the future.  Once I get the exact instrux he applied, I will add them here.

More updates to follow …

Thanks, – Ben