AWS Elastic Load Balancer

Deploy certificates directly to your AWS Application Load Balancers (ALBs) and Network Load Balancers (NLBs). Certificates are imported into AWS Certificate Manager (ACM) and attached to your configured listeners automatically.

Certificate Syncs are configured per Application. First select which certificates to sync, then configure the ELB destination.

Prerequisites

An AWS Connection with the following permissions:
- ACM: acm:ListCertificates, acm:DescribeCertificate, acm:ImportCertificate, acm:DeleteCertificate, acm:ListTagsForCertificate
- ELB: elasticloadbalancing:DescribeLoadBalancers, elasticloadbalancing:DescribeListeners, elasticloadbalancing:DescribeListenerCertificates, elasticloadbalancing:AddListenerCertificates, elasticloadbalancing:RemoveListenerCertificates, elasticloadbalancing:ModifyListener

If your AWS Connection uses the Assume Role method and is created within Certificate Manager, use your Organization ID as the External ID in your AWS IAM role trust policy. You can find the Organization ID in your organization settings. See the AWS Connection docs for more details.

Create an ELB Sync

Infisical UI
API

In your Application, go to the Certificate Syncs tab and click Create Sync.
Select the AWS Elastic Load Balancer option.
Configure the Destination:
- AWS Connection: The AWS Connection to authenticate with.
- AWS Region: The AWS region where your load balancer is located.
- Load Balancer: Select the Elastic Load Balancer to attach certificates to.
- Listeners: Select one or more HTTPS/TLS listeners.
Configure the Sync Options:
- Enable Removal of Expired/Revoked Certificates: Remove certificates from listeners and ACM when no longer active.
- Preserve ARN on Renewal: Keep the same ARN when renewing instead of creating a new certificate.
- Include Root CA: Include the Root CA certificate in the chain.
- Certificate Name Schema: Customize ACM tags using {{certificateId}} placeholder.
- Auto-Sync Enabled: Automatically sync certificates when changes occur.
Configure the Details:
- Name: The name of your sync (slug-friendly).
- Description: Optional description.
Select which certificates should be synced.
Review and click Create Sync.

To create an AWS Elastic Load Balancer Certificate Sync, make an API request to the Create AWS Elastic Load Balancer Certificate Sync API endpoint.

Sample request

You can optionally specify certificateIds during sync creation to immediately add certificates to the sync. If not provided, you can add certificates later using the certificate management endpoints.

Request

curl --request POST \
--url https://app.infisical.com/api/v1/cert-manager/syncs/aws-elastic-load-balancer \
--header 'Authorization: Bearer <access-token>' \
--header 'Content-Type: application/json' \
--data '{
    "name": "my-elb-cert-sync",
    "applicationId": "3c90c3cc-0d44-4b50-8888-8dd25736052a",
    "description": "an example ELB certificate sync",
    "connectionId": "550e8400-e29b-41d4-a716-446655440000",
    "destination": "aws-elastic-load-balancer",
    "isAutoSyncEnabled": true,
    "certificateIds": [
        "550e8400-e29b-41d4-a716-446655440000"
    ],
    "syncOptions": {
        "canRemoveCertificates": true,
        "preserveArn": true,
        "includeRootCa": false,
        "certificateNameSchema": "myapp-{{certificateId}}"
    },
    "destinationConfig": {
        "region": "us-east-1",
        "loadBalancerArn": "arn:aws:elasticloadbalancing:us-east-1:123456789012:loadbalancer/app/my-alb/50dc6c495c0c9188",
        "listeners": [
            {
                "listenerArn": "arn:aws:elasticloadbalancing:us-east-1:123456789012:listener/app/my-alb/50dc6c495c0c9188/f2f7dc8efc522ab2",
                "port": 443,
                "protocol": "HTTPS",
                "setAsDefault": true
            }
        ]
    }
}'

Sample response

Response

{
    "pkiSync": {
        "id": "3c90c3cc-0d44-4b50-8888-8dd25736052a",
        "name": "my-elb-cert-sync",
        "description": "an example ELB certificate sync",
        "destination": "aws-elastic-load-balancer",
        "isAutoSyncEnabled": true,
        "destinationConfig": {
            "region": "us-east-1",
            "loadBalancerArn": "arn:aws:elasticloadbalancing:us-east-1:123456789012:loadbalancer/app/my-alb/50dc6c495c0c9188",
            "listeners": [
                {
                    "listenerArn": "arn:aws:elasticloadbalancing:us-east-1:123456789012:listener/app/my-alb/50dc6c495c0c9188/f2f7dc8efc522ab2",
                    "port": 443,
                    "protocol": "HTTPS",
                    "setAsDefault": true
                }
            ]
        },
        "syncOptions": {
            "canRemoveCertificates": true,
            "preserveArn": true,
            "includeRootCa": false,
            "certificateNameSchema": "myapp-{{certificateId}}"
        },
        "applicationId": "3c90c3cc-0d44-4b50-8888-8dd25736052a",
        "connectionId": "550e8400-e29b-41d4-a716-446655440000",
        "createdAt": "2023-01-01T00:00:00.000Z",
        "updatedAt": "2023-01-01T00:00:00.000Z"
    }
}

Certificate Management

Your AWS Elastic Load Balancer Certificate Sync will:

Automatic Deployment: Deploy certificates to ACM and attach them to your configured listeners.
Certificate Updates: Update certificates in ACM and on listeners when renewals occur.
Expiration Handling: Optionally remove expired certificates from listeners and ACM (if enabled).
Tagging: Automatically tag certificates in ACM with an InfisicalCertificate tag for easy identification and management.

Setting Default Certificates

You can set a certificate as the default for all configured listeners. The default certificate is used when a client connects without specifying a hostname via SNI (Server Name Indication).

Infisical UI
API

In the sync details page, click Set as Default next to the certificate you want to use as the default for all configured listeners.

To set a certificate as the default, make an API request to the Set Default Certificate endpoint:

Request

curl --request POST \
--url https://app.infisical.com/api/v1/cert-manager/syncs/aws-elastic-load-balancer/{pkiSyncId}/certificates/default \
--header 'Authorization: Bearer <access-token>' \
--header 'Content-Type: application/json' \
--data '{
    "certificateId": "550e8400-e29b-41d4-a716-446655440000"
}'

To clear the default certificate:

Request

curl --request DELETE \
--url https://app.infisical.com/api/v1/cert-manager/syncs/aws-elastic-load-balancer/{pkiSyncId}/certificates/default \
--header 'Authorization: Bearer <access-token>'

Manual Certificate Sync

You can manually trigger certificate synchronization to AWS Elastic Load Balancer using the sync certificates functionality. This is useful for:

Initial setup when you have existing certificates to deploy
One-time sync of specific certificates
Testing certificate sync configurations
Force sync after making changes

To manually sync certificates, use the Sync Certificates API endpoint or the manual sync option in the Infisical UI.

AWS Elastic Load Balancer does not support importing certificates back into Infisical due to security limitations where private keys cannot be extracted from AWS Certificate Manager. Only certificates managed by Infisical can be synced to your load balancers.

What’s Next?

AWS Certificate Manager

Import certificates into ACM for other AWS services.

Auto-Renewal

Enable automatic certificate renewal and syncing.

Alerting

Get notified about certificate lifecycle events.

Other Sync Destinations

View all supported sync destinations.

​Prerequisites

​Create an ELB Sync

​Sample request

​Sample response

​Certificate Management

​Setting Default Certificates

​Manual Certificate Sync

​What’s Next?

AWS Certificate Manager

Auto-Renewal

Alerting

Other Sync Destinations

Prerequisites

Create an ELB Sync

Sample request

Sample response

Certificate Management

Setting Default Certificates

Manual Certificate Sync

What’s Next?