diff --git a/pkg/cloudprovider/providers/aws/aws.go b/pkg/cloudprovider/providers/aws/aws.go
index 4bee1105cd4..1ecf9a7e74c 100644
--- a/pkg/cloudprovider/providers/aws/aws.go
+++ b/pkg/cloudprovider/providers/aws/aws.go
@@ -2133,12 +2133,12 @@ func buildListener(port api.ServicePort, annotations map[string]string) (*elb.Li
 	if certID != "" {
 		instanceProtocol = annotations[ServiceAnnotationLoadBalancerBEProtocol]
 		if instanceProtocol == "" {
-			protocol = "https"
-			instanceProtocol = "http"
+			protocol = "ssl"
+			instanceProtocol = "tcp"
 		} else {
 			protocol = backendProtocolMapping[instanceProtocol]
 			if protocol == "" {
-				return nil, fmt.Errorf("Invalid backend protocol %s in %s", instanceProtocol, certID)
+				return nil, fmt.Errorf("Invalid backend protocol %s for %s in %s", instanceProtocol, certID, ServiceAnnotationLoadBalancerBEProtocol)
 			}
 		}
 		listener.SSLCertificateId = &certID
diff --git a/pkg/cloudprovider/providers/aws/aws_test.go b/pkg/cloudprovider/providers/aws/aws_test.go
index aaddcf65754..9e8df8103eb 100644
--- a/pkg/cloudprovider/providers/aws/aws_test.go
+++ b/pkg/cloudprovider/providers/aws/aws_test.go
@@ -1216,9 +1216,14 @@ func TestBuildListener(t *testing.T) {
 	}{
 		{
 			"No cert or BE protocol annotation, passthrough",
-			80, 8000, "", "",
+			80, 7999, "", "",
 			false, "tcp", "tcp", "",
 		},
+		{
+			"Cert annotation without BE protocol specified, SSL->TCP",
+			80, 8000, "", "cert",
+			false, "ssl", "tcp", "cert",
+		},
 		{
 			"BE protocol without cert annotation, passthrough",
 			443, 8001, "https", "",
@@ -1265,7 +1270,7 @@ func TestBuildListener(t *testing.T) {
 		if test.certAnnotation != "" {
 			annotations[ServiceAnnotationLoadBalancerCertificate] = test.certAnnotation
 		}
-		l, err := getListener(api.ServicePort{
+		l, err := buildListener(api.ServicePort{
 			NodePort: int32(test.instancePort),
 			Port:     int32(test.lbPort),
 			Protocol: api.Protocol("tcp"),