Skip to main content

Amazon Certificate Manager

  • Products
  • Amazon Certificate Manager

Amazon Certificate Manager FAQs

Page topics

General

Open all

Amazon Certificate Manager (ACM) is a service that lets you easily provision, manage, and deploy public Secure Sockets Layer/Transport Layer Security (SSL/TLS) certificates. SSL/TLS certificates are used to secure network communications and establish the identity of websites over the Internet as well as resources on private networks. Amazon Certificate Manager removes the time-consuming manual process of purchasing, uploading, and renewing SSL/TLS certificates. With Amazon Certificate Manager, you can quickly request a certificate, deploy it on Amazon Web Services resources such as Elastic Load Balancers and APIs on API Gateway, and let Amazon Certificate Manager handle certificate renewals. You can also use these certificates to securely terminate traffic on any compute workload that requires a public certificate, including those running on EC2 instances, containers, and/or on-premises hosts. Public SSL/TLS certificates provisioned through Amazon Certificate Manager and used exclusively with ACM-integrated services, such as Elastic Load Balancing and Amazon API Gateway, are free. If you choose to issue exportable public certificates, you pay for certificate issuance, certificate renewal, and related API usage. You pay for the Amazon Web Services resources you create to run your application.

SSL/TLS certificates allow web browsers to identify and establish encrypted network connections to web sites using the Secure Sockets Layer/Transport Layer Security (SSL/TLS) protocol. Certificates are used within a cryptographic system known as a public key infrastructure (PKI). PKI provides a way for one party to establish the identity of another party using certificates if they both trust a third-party - known as a certificate authority. The concepts topic in the ACM User Guide provides additional background information and definitions.

When you request a public certificate through ACM, you can optionally designate the certificate to be exportable. Once the certificate is issued, you can select and export the certificate through the Amazon Web Services Management Console. You will be prompted for the passphrase which ACM will use to encrypt the private key. You can then download and save the certificate, private key, and certificate chain and deploy the certificate by following the instructions specific to your TLS application. You can automate these steps by writing code or scripts that employ the Amazon SDKs or command-line-interface (CLI).

ACM makes it easier to enable SSL/TLS for a website or application on the Amazon Web Services, hybrid, and multicloud environments. ACM eliminates many of the manual processes previously associated with using and managing SSL/TLS certificates. ACM can also help you avoid downtime due to misconfigured, revoked, or expired certificates by managing renewals. You get SSL/TLS protection and easy certificate management. Enabling SSL/TLS for Internet-facing sites can help improve the search rankings for your site and help you meet regulatory compliance requirements for encrypting data in transit.

When you use ACM to manage certificates, certificate private keys are securely protected and stored using strong encryption and key management best practices. ACM lets you use the Amazon Web Services Management Console, Amazon CLI, or Amazon Certificate Manager APIs to centrally manage all of the SSL/TLS ACM certificates in an Amazon Web Services China Region. ACM is integrated with other Amazon Web Services services, so you can request an SSL/TLS certificate and provision it with your Elastic Load Balancing load balancer from the Amazon Web Services Management Console, through Amazon CLI commands, or with API calls.

ACM enables you to manage the lifecycle of your public certificates. ACM’s capabilities depend on whether the certificate is public, how you obtain the certificate, and where you deploy it. See ACM Public Certificates to learn more about public certificates.

Public certificates - ACM manages the renewal and deployment of public certificates used with ACM-integrated services, including Elastic Load Balancing and Amazon API Gateway.

Exportable public certificates - ACM manages the renewal of exported public certificates that you may deploy with Amazon Web Services services and/or in your on-premises environments.

Imported certificates – If you want to use a third-party certificate with Elastic Load Balancing or Amazon API Gateway, you may import it into ACM using the Amazon Web Services  Management Console, Amazon CLI, or ACM APIs. ACM does not manage the renewal process for imported certificates. You are responsible for monitoring the expiration date of your imported certificates and for renewing them before they expire. You can use the Amazon Web Services  Management Console to monitor the expiration dates of an imported certificates and import a new third-party certificate to replace an expiring one.

To get started with Amazon Certificate Manager, navigate to Certificate Manager in the Amazon Web Services  Management Console and use the wizard to request an SSL/TLS certificate, and then enter the name of your site. You can also request a certificate using the Amazon CLI or API. After the certificate is issued, you can use it with other Amazon Web Services  services that are integrated with ACM. For each integrated service, you simply select the SSL/TLS certificate you want from a drop-down list in the Amazon Web Services  Management Console. Alternatively, you can execute an Amazon CLI command or call an Amazon API to associate the certificate with your resource. The integrated service then deploys the certificate to the resource you selected. For more information about requesting and using certificates provided by Amazon Certificate Manager, visit Getting Started in the Amazon Certificate Manager User Guide.

You can use public ACM certificates with the following Amazon Web Services services:

Please visit the Amazon Web Services  China Region Table pages to see the current Region availability for Amazon Web Services services.

ACM certificates

Open all

ACM manages public and imported certificates. Refer to [Q: How can I manage certificates with ACM?] for details on ACM’s management capabilities for each type of certificate.

Yes. Each certificate must include at least one domain name, and you can add additional names to the certificate if you want to. For example, you can add the name “www.example.net” to a certificate for “www.example.com” if users can reach your site by either name. You must own or control all of the names included in your certificate request. 

A wildcard domain name matches any first level subdomain or hostname in a domain. A first-level subdomain is a single domain name label that does not contain a period (dot). For example, you can use the name *.example.com to protect www.example.com, images.example.com, and any other host name or first-level subdomain that ends with .example.com. Refer to the ACM user guide for more details.

Yes.

Certificates managed in ACM are intended to be used with SSL/TLS. 

No.

Not at this time.

Certificates issued through ACM are valid for 13 months. 

Certificates managed in ACM use RSA keys with a 2048-bit modulus and SHA-256. 

You can request ACM to revoke a public certificate by visiting the Amazon Web Services Support Center and creating a case. Exportable public certificates can be revoked using the revoke-certificate API.

You cannot copy ACM-managed certificates between regions at this time. 

If you use a certificate with Elastic Load Balancing for the same site (the same fully qualified domain name, or FQDN, or set of FQDNs) in a different Region, you must request a new certificate for each Region in which you plan to use it.

Yes.

You can optionally choose to issue exportable public certificates that you can use with integrated services and export for use with any workloads that require a TLS certificates. These workloads can be within Amazon Web Services, such as a server running on EC2, or can be outside Amazon Web Services, such as an on-premises server. See With which Amazon Web Services services can I use ACM certificates?

ACM does not allow Unicode encoded local language characters; however, ACM allows ASCII-encoded local language characters for domain names.

ACM allows only UTF-8 encoded ASCII, including labels containing “xn—”, commonly known as Punycode for domain names. ACM does not accept Unicode input (u-labels) for domain names.

ACM public certificates

Open all

Public certificates help customers identify resources on networks and secure communication between these resources. Public certificates identify resources on the internet.

ACM provides Domain Validated (DV) public certificates for use with websites and applications that terminate SSL/TLS. For more details about ACM certificates, see Certificate Characteristics.

ACM public certificates are trusted by most modern browsers, operating systems, and mobile devices. ACM-provided certificates have 99% browser and operating system ubiquity, including Windows XP SP3 and Java 6 and later.

Browsers that trust ACM certificates display a lock icon and do not issue certificate warnings when connected to sites that use ACM certificates over SSL/TLS, for example using HTTPS.

Public ACM certificates are verified by Amazon’s certificate authority (CA). Any browser, application, or OS that includes the Amazon Root CA 1, Starfield Services Root Certificate Authority - G2, or Starfield Class 2 Certification Authority trusts ACM certificates.

Not at this time.

They are described in the Amazon Trust Services Certificate Policies and Amazon Trust Services Certification Practices Statement documents. Refer to the Amazon Trust Services repository for the latest versions.

You notify Amazon Web Services by sending email to validation-questions[at]amazonaws.cn.

Provisioning ACM public certificates

Open all

You can use the Amazon Web Services Management Console, Amazon CLI, or ACM APIs/SDKs. To use the Amazon Web Services Management Console, navigate to the Certificate Manager, choose Request a certificate, select Request a public certificate, enter the domain name for your site, and follow the instructions on the screen to complete your request. You can add additional domain names to your request if users can reach your site by other names. Before ACM can issue a certificate, it validates that you own or control the domain names in your certificate request. You can choose DNS validation or email validation when requesting a certificate. With DNS validation, you write a record to the public DNS configuration for your domain to establish that you own or control the domain. After you use DNS validation once to establish control of your domain, you can obtain additional certificates and have ACM renew existing certificates for the domain as long as the record remains in place and the certificate remains in use. You do not have to validate control of the domain again. If you choose email validation instead of DNS validation, emails are sent to the domain owner requesting approval to issue the certificate. After validating that you own or control each domain name in your request, the certificate is issued and ready to be provisioned with other Amazon Web Services services, such as Elastic Load Balancing. Refer to the ACM Documentation for details.

You can optionally choose to issue exportable public certificates that you can use with integrated services and export for use with any workloads that require a TLS certificates. These workloads can be within Amazon Web Services, such as a server running on EC2, or can be outside Amazon Web Services, such as an on-premises server.

Certificates are used to establish the identity of your site and secure connections between browsers and applications and your site. To issue a publicly trusted certificate, Amazon must validate that the certificate requestor has control over the domain name in the certificate request.

Prior to issuing a certificate, ACM validates that you own or control the domain names in your certificate request. You can choose DNS validation or email validation when requesting a certificate. With DNS validation, you can validate domain ownership by adding a CNAME record to your DNS configuration. Refer to DNS validation for further details. If you do not have the ability to write records to the public DNS configuration for your domain, you can use email validation instead of DNS validation. With email validation, ACM sends emails to the registered domain owner, and the owner or an authorized representative can approve issuance for each domain name in the certificate request. Refer to Email validation for further details.

We recommend that you use DNS validation if you have the ability to change the DNS configuration for your domain. Customers who are unable to receive validation emails from ACM and those using a domain registrar that does not publish domain owner email contact information in WHOIS should use DNS validation. If you cannot modify your DNS configuration, you should use email validation.

No, but you can request a new, free certificate from ACM and choose DNS validation for the new one.

The time to issue a certificate after all of the domain names in a certificate request have been validated may be several hours or longer.

ACM attempts to validate ownership or control of each domain name in your certificate request, according to the validation method you chose, DNS or email, when making the request. The status of the certificate request is Pending validation while ACM attempts to validate that you own or control the domain. Refer to the DNS validation and Email validation sections below for more information about the validation process. After all of the domain names in the certificate request are validated, the time to issue certificates may be several hours or longer. When the certificate is issued, the status of the certificate request changes to Issued and you can start using it with other Amazon Web Services services that are integrated with ACM.

Yes. DNS Certificate Authority Authorization (CAA) records allow domain owners to specify which certificate authorities are authorized to issue certificates for their domain. When you request an ACM Certificate, Amazon Certificate Manager looks for a CAA record in the DNS zone configuration for your domain. If a CAA record is not present, then Amazon can issue a certificate for your domain. Most customers fall into this category.

If your DNS configuration contains a CAA record, that record must specify one of the following CAs before Amazon can issue a certificate for your domain: amazon.com, amazontrust.com, awstrust.com, or amazonaws.com. Refer to Configure a CAA Record or Troubleshooting CAA Problems in the Amazon Certificate Manager User Guide for more information.

Not at this time.

DNS validation (public certificates)

Open all

With DNS validation, you can validate your ownership of a domain by adding a CNAME record to your DNS configuration. DNS Validation makes it easy for you to establish that you own a domain when requesting SSL/TLS certificates from ACM.

DNS validation makes it easy to validate that you own or control a domain so that you can obtain an SSL/TLS certificate. With DNS validation, you simply write a CNAME record to your DNS configuration to establish control of your domain name. This makes it easy to establish control of your domain name with a few mouse clicks. Once the CNAME record is configured, ACM automatically renews certificates that are in use (associated with other Amazon Web Services resources) as long as the DNS validation record remains in place. Renewals are fully automatic and touchless.

Anyone who requests a certificate through ACM and has the ability to change the DNS configuration for the domain they are requesting should consider using DNS validation.

Yes. ACM continues to support email validation for customers who can’t change their DNS configuration.

You must add a CNAME record for the domain you want to validate. For example, to validate the name www.example.com, you add a CNAME record to the zone for example.com. The record you add contains a random token that ACM generates specifically for your domain and your Amazon Web Services account. You can obtain the two parts of the CNAME record (name and label) from ACM. For further instructions, refer to the ACM User Guide.

For more information about how to add or modify DNS records, check with your DNS provider.

No. You can use DNS validation with any DNS provider as long as the provider allows you to add a CNAME record to your DNS configuration.

One. You can obtain multiple certificates for the same domain name in the same Amazon Web Services account using one CNAME record. For example, if you make 2 certificate requests from the same Amazon Web Services account for the same domain name, you need only 1 DNS CNAME record.

No. Each domain name must have a unique CNAME record.

Yes.

DNS CNAME records have two components: a name and a label. The name component of an ACM-generated CNAME is constructed from an underscore character (_) followed by a token, which is a unique string that is tied to your Amazon Web Services account and your domain name. ACM prepends the underscore and token to your domain name to construct the name component. ACM constructs the label from an underscore character prepended to a different token which is also tied to your Amazon Web Services account and your domain name. ACM prepends the underscore and token to a DNS domain name used by Amazon Web Services for validations: acm-validations.aws. The following examples show the formatting of CNAMEs for www.example.com, subdomain.example.com, and *.example.com.

_TOKEN1.www.example.com         CNAME     _TOKEN2.acm-validations.aws
_TOKEN3.subdomain.example.com CNAME     _TOKEN4.acm-validations.aws
_TOKEN5.example.com                 CNAME      _TOKEN6.acm-validations.aws

Notice that ACM removes the wildcard label (*) when generating CNAME records for wildcard names. As a result, the CNAME record generated by ACM for a wildcard name (such as *.example.com) is the same record returned for the domain name without the wildcard label (example.com).

No. Each domain name, including host names and subdomain names, must be validated separately, each with a unique CNAME record.

Using a CNAME record allows ACM to renew certificates for as long as the CNAME record exists. The CNAME record directs to a TXT record in an Amazon Web Services domain (acm-validations.aws) that ACM can update as needed to validate or re-validate a domain name, without any action from you.

Yes. You can create one DNS CNAME record and use it to obtain certificates in the same Amazon Web Services account in any Amazon Web Services China Region where ACM is offered. Configure the CNAME record once and you can get certificates issued and renewed from ACM for that name without creating another record.

No. Each certificate can have only one validation method.

ACM automatically renews certificates that are in use (associated with other Amazon Web Services resources) as long as the DNS validation record remains in place.

Yes. Simply remove the CNAME record. ACM does not issue or renew certificates for your domain using DNS validation after you remove the CNAME record and the change is distributed through DNS. The propagation time to remove the record depends on your DNS provider.

ACM cannot issue or renew certificates for your domain using DNS validation if you remove the CNAME record.

Email validation (public certificates)

Open all

With email validation, an approval request email is sent to the registered domain owner for each domain name in the certificate request. The domain owner or an authorized representative (approver) can approve the certificate request by following the instructions in the email. The instructions direct the approver to navigate to the approval website and click the link in the email or paste the link from the email into a browser to navigate to the approval web site. The approver confirms the information associated with the certificate request, such as the domain name, certificate ID (ARN), and the Amazon Web Services account ID initiating the request, and approves the request if the information is accurate.

When you request a certificate using email validation, a WHOIS lookup for each domain name in the certificate request is used to retrieve contact information for the domain. Email is sent to the domain registrant, administrative contact, and technical contact listed for the domain. Email is also sent to five special email addresses, which are formed by prepending admin@, administrator@, hostmaster@, webmaster@ and postmaster@ to the domain name you’re requesting. For example, if you request a certificate for server.example.com, email is sent to the domain registrant, technical contact, and administrative contact using contact information returned by a WHOIS query for the example.com domain, plus admin@server.example.com, administrator@server.example.com, hostmaster@server.example.com, postmaster@server.example.com, and webmaster@server.example.com.

The five special email addresses are constructed differently for domain names that begin with "www" or wildcard names beginning with an asterisk (*). ACM removes the leading "www" or asterisk and email is sent to the administrative addresses formed by pre-pending admin@, administrator@, hostmaster@, postmaster@, and webmaster@ to the remaining portion of the domain name. For example, if you request a certificate for www.example.com, email is sent to the WHOIS contacts, as described previously, plus admin@example.com rather than admin@www.example.com. The remaining four special email addresses are similarly formed.

After you request a certificate, you can display the list of email addresses to which the email was sent for each domain using the ACM console, Amazon CLI, or APIs.

No, but you can configure the base domain name to which you want the validation email to be sent. The base domain name must be a superdomain of the domain name in the certificate request. For example, if you want to request a certificate for server.domain.example.com but want to direct the approval email to admin@domain.example.com, you can do so using the Amazon CLI or API. See ACM CLI Reference and ACM API Reference for further details.

Yes; however, email delivery may be delayed as a result of the proxy. Email sent through a proxy may end up in your spam folder. Refer to the ACM User Guide for troubleshooting suggestions.

No. Procedures and policies for validating the domain owner’s identity are very strict, and determined by the CA/Browser Forum which sets policy standards for publicly trusted certificate authorities. To learn more, please refer to the latest Amazon Trust Services Certification Practices Statement in the Amazon Trust Services Repository.

Refer to the ACM User Guide for troubleshooting suggestions.

Private key protection

Open all

A key pair is created for each certificate provided by ACM. Amazon Certificate Manager is designed to protect and manage the private keys used with SSL/TLS certificates. Strong encryption and key management best practices are used when protecting and storing private keys.

No. The private key of each ACM certificate is stored in the China Region in which you request the certificate. For example, when you obtain a new certificate in the Amazon Web Services China (Beijing) Region or Amazon Web Services China (Ningxia) Region, ACM stores the private key in that China Region.

Yes. Using Amazon CloudTrail you can review logs that tell you when the private key for the certificate was used.

Billing

Open all

Public and private certificates provisioned through Amazon Certificate Manager for use with ACM-integrated services, such as Elastic Load Balancing and Amazon API Gateway services are free. You pay for the Amazon Web Services resources you create to run your application.

Details

Open all

Yes.

Yes, See Managed Renewal and Deployment for details about how ACM handles renewals for public certificates that are not reachable from the Internet.

No. If you want your site to be referenced by both domain names (www.example.com and example.com), you must request a certificate that includes both names.

Yes. If you want to use a third-party certificate with Elastic Load Balancing or Amazon API Gateway, you may import it into ACM using the Amazon Web Services Management Console, Amazon CLI, or ACM APIs. ACM does not manage the renewal process for imported certificates. You can use the Amazon Web Services Management Console to monitor the expiration dates of an imported certificates and import a new third-party certificate to replace an expiring one.

Using ACM helps you comply with regulatory requirements by making it easy to facilitate secure connections., a common requirement across many compliance programs such as PCI, FedRAMP, and HIPAA. For specific information about compliance, please refer to https://www.amazonaws.cn/compliance/

ACM does not have an SLA.

No. If you would like to use a site seal, you can obtain one from a third-party vendor. We recommend choosing a vendor that evaluates and asserts the security of your site, or your business practices, or both.

No. Seals and badges of this type can be copied to sites that do not use the ACM service, and used inappropriately to establish trust under false pretenses. To protect our customers and the reputation of Amazon, we do not allow our logo to be used in this manner.

Logging

Open all

You can identify which users and accounts called Amazon APIs for services that support Amazon CloudTrail, the source IP address the calls were made from, and when the calls occurred. For example, you can identify which user made an API call to associate a certificate provided by ACM with an Elastic Load Balancer and when the Elastic Load Balancing service decrypted the key with a KMS API call.

Managed renewal and deployment

Open all

ACM managed renewal and deployment manages the process of renewing SSL/TLS ACM certificates and deploying certificates after they are renewed.

ACM can manage renewal and deployment of SSL/TLS certificates for you. ACM makes configuring and maintaining SSL/TLS for a secure web service or application more operationally sound than potentially error-prone manual processes. Managed renewal and deployment can help you avoid downtime due to expired certificates. ACM operates as a service that is integrated with other Amazon Web Services services. You can optionally choose to issue exportable public certificates that you can use with integrated Amazon Web Services services and export for use with any workloads that require a TLS certificates. This means you can centrally manage and deploy certificates on the Amazon Web Services platform by using the Amazon Web Services management console, Amazon CLI, or APIs.

Public Certificates

ACM can renew and deploy public ACM certificates without any additional validation from the domain owner. If a certificate cannot be renewed without additional validation, ACM manages the renewal process by validating domain ownership or control for each domain name in the certificate. After each domain name in the certificate has been validated, ACM renews the certificate and automatically deploys it with your Amazon Web Services resources. If ACM cannot validate domain ownership, we will let you (the Amazon Web Services account owner) know.If you chose DNS validation in your certificate request, ACM can renew your certificate indefinitely without any further action from you, as long as the certificate is in use (associated with other Amazon Web Services resources) and your CNAME record remains in place. If you selected email validation when requesting a certificate, you can improve ACM’s ability to automatically renew and deploy ACM certificates, by ensuring that the certificate is in use, that all domain names included in the certificate can be resolved to your site, and that all domain names are reachable from the internet.

ACM begins the renewal process up to 60 days prior to the certificate’s expiration date. The validity period for ACM certificates is currently 13 months. Refer to the ACM User Guide for more information about managed renewal.

No. ACM may renew or rekey the certificate and replace the old one without prior notice.

If you chose DNS validation in your certificate request for a public certificate, then ACM can renew your certificate without any further action from you, as long as the certificate is in use (associated with other Amazon Web Services resources) and your CNAME record remains in place.

If you selected email validation when requesting a public certificate with a bare domain, ensure that a DNS lookup of the bare domain resolves to the Amazon Web Services resource that is associated with the certificate. Resolving the bare domain to an Amazon Web Services resource may be challenging unless you use DNS provider that supports alias resource records (or their equivalent) for mapping bare domains to Amazon Web Services resources.

No, connections established after the new certificate is deployed use the new certificate, and existing connections are not affected.