Core Features & Benefits
-
Free Public Certificates: Public SSL/TLS certificates provisioned through ACM are free of charge. You only pay for the AWS resources that use them.
-
Automated Certificate Renewal: ACM automatically manages the renewal process for the certificates it issues, provided they are in use with an integrated service and validated via DNS. This is a major benefit that prevents accidental certificate expiration.
-
Seamless Integration: ACM is tightly integrated with other AWS services. The most common integrations are:
-
Elastic Load Balancing (ELB) (Application Load Balancers and Classic Load Balancers)
-
Amazon CloudFront
-
Amazon API Gateway
-
AWS Elastic Beanstalk
-
-
Centralized Management: You can manage all your SSL/TLS certificates for an AWS region from a single dashboard.
Types of Certificates in ACM
ACM supports three types of certificates, each serving a different purpose.
1. Public Certificates
These are standard, browser-trusted certificates used to secure public-facing websites and applications.
-
Validation: Before issuing a certificate, ACM must validate that you own or control the domains in the request. There are two methods:
-
DNS Validation (Recommended): You add a CNAME record provided by ACM to your DNS configuration. This method is required for ACM to manage certificate renewals automatically.
-
Email Validation: ACM sends validation emails to registered domain contacts. This requires manual action to approve the certificate request and for each subsequent renewal.
-
-
Validity: Public certificates issued by ACM are valid for 13 months (395 days).
2. Private Certificates
These certificates are used to secure communications for internal or private resources, such as between servers in a VPC, IoT devices, or on-premises resources.
-
Requirement: To issue private certificates, you must first create a private certificate authority (CA) using ACM Private CA, which is a separate but related service with its own pricing.
-
Trust: Private certificates are not trusted by public web browsers. You must configure your internal clients and applications to explicitly trust your private CA.
3. Imported Certificates
You can import SSL/TLS certificates that you obtained from a third-party Certificate Authority into ACM.
-
Use Case: This allows you to manage third-party certificates and use them with ACM-integrated services.
-
Important Limitation: ACM does not automatically renew imported certificates. You are responsible for monitoring their expiration and importing a new one before the old one expires.
Important Operational Concepts
Certificate Regionality
Where you provision your certificate is critical.
-
For Regional Services (ELB, API Gateway, etc.): You must request or import the certificate in the same AWS Region as the resource you want to associate it with.
-
For Global Services (Amazon CloudFront): To use an ACM certificate with a CloudFront distribution, the certificate must be requested or imported in the US East (N. Virginia)
us-east-1Region. This is a strict requirement, regardless of where your users or origin are located.
Security and Private Keys
-
Private Key Protection: For public certificates that ACM generates, the private key is securely stored and managed by AWS. You cannot view, download, or export the private key. This is a key security feature. The certificate can only be used by integrated AWS services.
-
Encryption at Rest: ACM uses AWS Key Management Service (KMS) to encrypt and protect the private keys associated with your certificates.
Pricing
-
Public Certificates: There is no additional charge for public certificates you provision with ACM.
-
Private Certificates: There is a monthly fee for the operation of each ACM Private CA and a tiered fee for each private certificate you issue.