16

I have an SSL certificate associated with a load balancer on Amazon Web Services. I would like to have an additional domain on that certificate. My questions are:

  1. Is it possible to add an additional domain to an EXISTING ssl certificate on aws? I see that you can add additional names when you create one, but I don't see how to do it with an existing certificate.

  2. If no to 1, is it possible to associate 2 certs with the load balancer? Or do I need to create a new one that includes both domains and replace the cert with the new one?

Thank you for your advice.

Erich
  • 499
  • 1
  • 13
  • 34

4 Answers4

18

It is not possible to do either of these things.

Certificates can never be modified -- that would invalidate them.

Balancers cannot attach more than one certificate to a given listener, and can't have more than one listener on a port.

Your solution is to create a new certificate with all of the needed domain names, and swap them out.

Michael - sqlbot
  • 169,571
  • 25
  • 353
  • 427
  • 1
    Apache HTTPD can have a different certificate per directory, let alone per virtual host. – user207421 Apr 03 '17 at 23:11
  • @EJP that's not relevant to [tag:aws-certificate-manager], as tagged on the original question. ACM does not give you access to the private keys to the certificates it issues. They can only be installed on ELB/ALB or CloudFront, not on instances. – Michael - sqlbot Apr 04 '17 at 17:06
  • 1
    Load Balancers can attach multiple certs to a listener. It uses a feature in TLS 1.2 to determine which cert to use. – carlin.scott Sep 24 '20 at 20:41
  • 2
    @carlin.scott you're absolutely correct. The ALB feature you describe [was announced](https://aws.amazon.com/blogs/aws/new-application-load-balancer-sni/) several months after this answer was written. I should probably revise this. – Michael - sqlbot Sep 24 '20 at 21:02
11

Actually (as of Feb 12, 2019) you can request another certificate and then Add to your load balancer. I just did this myself. I had one certificate with 5 domains and I didn't want to have to create another just for one more. So I created the new certificate for the one domain and then added ( look for a plus sign ). Easy and it takes effect right away. Good luck.

CodeWriter
  • 337
  • 2
  • 7
2

AWS ELB/ALB support up to 25 certificates now. You can request new ACM certificates or upload your own certificates and use them with your load balancers

Hamza Chouaibi
  • 111
  • 1
  • 1
1

As a work-around, you can create a new certificate in AWS Cert Manager with all the same domains from an existing cert plus one any new one needed. With DNS validation for both existing and new certs, all the existing domains successfully validate automatically on the new cert (unique DNS IDs kept for easy renewal). You just need to add the DNS validation records for any new domains, let it validate and then swap the cert (just tested with cert + Cloudfront, haven't with an ELB).

kenny_k
  • 3,831
  • 5
  • 30
  • 41
Nick Nabb
  • 11
  • 2
  • Is this work-around reliable? What happens when the cert is expired? I can see that after doing this work-around the old certificate is no longer eligible for renewal, meaning you'd need to revalidate the certificate each year, right? – 123 Jul 25 '23 at 10:01
  • @123, Yes, it's reliable. As long as the ACM issued cert is attached to an AWS ALB or CloudFront, the attached cert will be automatically renewed. The ones that are not attached to any ALB or CloudFront are show as Ineligible in the ACM. The moment you attached them they will become eligible. Except for the Imported certificates, as that's a manual process. – Aurvoir Aug 03 '23 at 15:26