docs/documentation/platform/pki/applications/certificate-syncs/aws-elastic-load-balancer.mdx
Deploy certificates directly to your AWS Application Load Balancers (ALBs) and Network Load Balancers (NLBs). Certificates are imported into AWS Certificate Manager (ACM) and attached to your configured listeners automatically.
<Info> Certificate Syncs are configured per Application. First select which certificates to sync, then configure the ELB destination. </Info>acm:ListCertificates, acm:DescribeCertificate, acm:ImportCertificate, acm:DeleteCertificate, acm:ListTagsForCertificateelasticloadbalancing:DescribeLoadBalancers, elasticloadbalancing:DescribeListeners, elasticloadbalancing:DescribeListenerCertificates, elasticloadbalancing:AddListenerCertificates, elasticloadbalancing:RemoveListenerCertificates, elasticloadbalancing:ModifyListener 2. Select the **AWS Elastic Load Balancer** option.
3. Configure the **Destination**:
- **AWS Connection**: The AWS Connection to authenticate with.
- **AWS Region**: The AWS region where your load balancer is located.
- **Load Balancer**: Select the Elastic Load Balancer to attach certificates to.
- **Listeners**: Select one or more HTTPS/TLS listeners.
4. Configure the **Sync Options**:
- **Enable Removal of Expired/Revoked Certificates**: Remove certificates from listeners and ACM when no longer active.
- **Preserve ARN on Renewal**: Keep the same ARN when renewing instead of creating a new certificate.
- **Include Root CA**: Include the Root CA certificate in the chain.
- **Certificate Name Schema**: Customize ACM tags using `{{certificateId}}` placeholder.
- **Auto-Sync Enabled**: Automatically sync certificates when changes occur.
5. Configure the **Details**:
- **Name**: The name of your sync (slug-friendly).
- **Description**: Optional description.
6. Select which certificates should be synced.
7. Review and click **Create Sync**.
</Tab>
<Tab title="API">
To create an **AWS Elastic Load Balancer Certificate Sync**, make an API request to the [Create AWS Elastic Load Balancer Certificate Sync](/api-reference/endpoints/pki/syncs/aws-elastic-load-balancer/create) API endpoint.
### Sample request
<Note>
You can optionally specify `certificateIds` during sync creation to immediately add certificates to the sync.
If not provided, you can add certificates later using the certificate management endpoints.
</Note>
```bash Request
curl --request POST \
--url https://app.infisical.com/api/v1/cert-manager/syncs/aws-elastic-load-balancer \
--header 'Authorization: Bearer <access-token>' \
--header 'Content-Type: application/json' \
--data '{
"name": "my-elb-cert-sync",
"applicationId": "3c90c3cc-0d44-4b50-8888-8dd25736052a",
"description": "an example ELB certificate sync",
"connectionId": "550e8400-e29b-41d4-a716-446655440000",
"destination": "aws-elastic-load-balancer",
"isAutoSyncEnabled": true,
"certificateIds": [
"550e8400-e29b-41d4-a716-446655440000"
],
"syncOptions": {
"canRemoveCertificates": true,
"preserveArn": true,
"includeRootCa": false,
"certificateNameSchema": "myapp-{{certificateId}}"
},
"destinationConfig": {
"region": "us-east-1",
"loadBalancerArn": "arn:aws:elasticloadbalancing:us-east-1:123456789012:loadbalancer/app/my-alb/50dc6c495c0c9188",
"listeners": [
{
"listenerArn": "arn:aws:elasticloadbalancing:us-east-1:123456789012:listener/app/my-alb/50dc6c495c0c9188/f2f7dc8efc522ab2",
"port": 443,
"protocol": "HTTPS",
"setAsDefault": true
}
]
}
}'
```
### Sample response
```json Response
{
"pkiSync": {
"id": "3c90c3cc-0d44-4b50-8888-8dd25736052a",
"name": "my-elb-cert-sync",
"description": "an example ELB certificate sync",
"destination": "aws-elastic-load-balancer",
"isAutoSyncEnabled": true,
"destinationConfig": {
"region": "us-east-1",
"loadBalancerArn": "arn:aws:elasticloadbalancing:us-east-1:123456789012:loadbalancer/app/my-alb/50dc6c495c0c9188",
"listeners": [
{
"listenerArn": "arn:aws:elasticloadbalancing:us-east-1:123456789012:listener/app/my-alb/50dc6c495c0c9188/f2f7dc8efc522ab2",
"port": 443,
"protocol": "HTTPS",
"setAsDefault": true
}
]
},
"syncOptions": {
"canRemoveCertificates": true,
"preserveArn": true,
"includeRootCa": false,
"certificateNameSchema": "myapp-{{certificateId}}"
},
"applicationId": "3c90c3cc-0d44-4b50-8888-8dd25736052a",
"connectionId": "550e8400-e29b-41d4-a716-446655440000",
"createdAt": "2023-01-01T00:00:00.000Z",
"updatedAt": "2023-01-01T00:00:00.000Z"
}
}
```
</Tab>
Your AWS Elastic Load Balancer Certificate Sync will:
You can set a certificate as the default for all configured listeners. The default certificate is used when a client connects without specifying a hostname via SNI (Server Name Indication).
<Tabs> <Tab title="Infisical UI"> In the sync details page, click **Set as Default** next to the certificate you want to use as the default for all configured listeners. </Tab> <Tab title="API"> To set a certificate as the default, make an API request to the Set Default Certificate endpoint: ```bash Request
curl --request POST \
--url https://app.infisical.com/api/v1/cert-manager/syncs/aws-elastic-load-balancer/{pkiSyncId}/certificates/default \
--header 'Authorization: Bearer <access-token>' \
--header 'Content-Type: application/json' \
--data '{
"certificateId": "550e8400-e29b-41d4-a716-446655440000"
}'
```
To clear the default certificate:
```bash Request
curl --request DELETE \
--url https://app.infisical.com/api/v1/cert-manager/syncs/aws-elastic-load-balancer/{pkiSyncId}/certificates/default \
--header 'Authorization: Bearer <access-token>'
```
</Tab>
You can manually trigger certificate synchronization to AWS Elastic Load Balancer using the sync certificates functionality. This is useful for:
To manually sync certificates, use the Sync Certificates API endpoint or the manual sync option in the Infisical UI.
<Note> AWS Elastic Load Balancer does not support importing certificates back into Infisical due to security limitations where private keys cannot be extracted from AWS Certificate Manager. Only certificates managed by Infisical can be synced to your load balancers. </Note>