All posts
September 5, 20252 min read

AWS CLI Certificate Rotation: A Step-by-Step Guide to Avoid Downtime

Your SSL certificate expires in 36 hours. Your pager won’t stop. The AWS CLI is open. Now what? Rotating certificates in AWS can be routine—or it can be chaos. The difference is whether you’ve set up a clean, repeatable process using the AWS Command Line Interface. Done right, AWS CLI certificate rotation is fast, reliable, and completely scriptable. You never leave it to chance. Why AWS CLI for Certificate Rotation The AWS Management Console works fine for one-off changes, but at scale it’s

Free White Paper

AWS IAM Policies + Certificate-Based Authentication: The Complete Guide

Architecture patterns, implementation strategies, and security best practices. Delivered to your inbox.

Free. No spam. Unsubscribe anytime.
Andrios Robert

Your SSL certificate expires in 36 hours. Your pager won’t stop. The AWS CLI is open. Now what?

Rotating certificates in AWS can be routine—or it can be chaos. The difference is whether you’ve set up a clean, repeatable process using the AWS Command Line Interface. Done right, AWS CLI certificate rotation is fast, reliable, and completely scriptable. You never leave it to chance.

Why AWS CLI for Certificate Rotation

The AWS Management Console works fine for one-off changes, but at scale it’s too slow, too manual, and too prone to human error. The AWS CLI gives you speed, automation, and the ability to enforce consistency across environments. It keeps certificate rotation predictable, even when the pressure is high.

Continue reading? Get the full guide.

AWS IAM Policies + Certificate-Based Authentication: Architecture Patterns & Best Practices

Free. No spam. Unsubscribe anytime.

Core Steps for Rotating Certificates With AWS CLI

  1. Identify the certificate to rotate
    Use aws acm list-certificates to find the ARN of the certificate. Filter by domain name or status for faster targeting.
  2. Request or import a new certificate
  • For ACM-managed certs: aws acm request-certificate with the correct domain and validation method.
  • For your own certs: aws acm import-certificate with the private key, cert, and chain.
  1. Validate the new certificate
    If DNS validation is required, update your DNS records immediately. Confirm with aws acm describe-certificate until you see ISSUED.
  2. Attach the new certificate
    Update the load balancer, CloudFront distribution, or API Gateway with aws elbv2 modify-listener or the corresponding service command.
  3. Remove the old certificate
    Once traffic is confirmed and stable, run aws acm delete-certificate to clear unused resources.

Best Practices

  • Automate the rotation using scripts and scheduled jobs so you never miss an expiration date.
  • Store ARNs, domains, and services using a config file for quick updates to multiple environments.
  • Monitor certificate status through CloudWatch or EventBridge for early warnings.
  • Use tagging to identify certificates by team, service, or environment.

Common Pitfalls and How to Avoid Them

  • Delay in DNS validation: Update DNS at once. Propagation can take time.
  • Missing service updates: Always reattach the new certificate to every dependent resource before deleting the old one.
  • Overlapping changes during deployments: Coordinate with release schedules to avoid degraded service.

When certificate rotation becomes part of your continuous delivery mindset, you eliminate last-minute emergencies. AWS CLI makes it possible to own the process instead of reacting to it.

If you want to see a smooth, automated certificate rotation process from start to finish without building it all yourself, check out hoop.dev. You can see it live in minutes.

Get started

See hoop.dev in action

One gateway for every database, container, and AI agent. Deploy in minutes.

Get a demoMore posts