You can only change the name and path of a server certificate uploaded to IAM. You can’t update the certificate itself, it’s private key or certificate chain. So it makes sense to include a date in the name itself. I use the expiration date so it’s easy to tell which certificates need to be renewed and which certificates can be safely deleted.

Another command line I seldom remember:

aws iam upload-server-certificate \
  --server-certificate-name 20161216_blog_chendry_org \
  --certificate-body file://blog_chendry_org.crt \
  --private-key file://server.key \
  --certificate-chain file:// \
  --path /cloudfront/