AWS ACM – Certificate Manager & SSL/TLS

AWS Certificate Manager – ACM

  • AWS Certificate Manager (ACM) helps easily provision, manage, and deploy public and private SSL/TLS certificates for use with AWS services and internal connected resources.
  • ACM removes the time-consuming manual process of purchasing, uploading, and renewing SSL/TLS certificates.
  • ACM can help quickly request a certificate, deploy it on ACM-integrated AWS resources, such as ELB, CloudFront distributions, APIs on API Gateway, and AWS App Runner, and handle certificate renewals.
  • ACM supports importing third-party certificates into the ACM management system.
  • ACM also supports the creation of private certificates for the internal resources and manages the certificate lifecycle centrally via AWS Private Certificate Authority (AWS Private CA), previously known as ACM Private CA.
  • ACM certificates are regional resources.
  • Public ACM certificates are now valid for 198 days (reduced from 395 days in Feb 2026) to comply with the CA/Browser Forum mandate.
  • ACM automatically renews managed certificates before expiry — no customer intervention is required.
  • ACM supports Certificate Transparency (CT) logging for public certificates, which helps detect misissued certificates.

AWS Certificate Manager

ACM Certificate Validity

  • As of February 2026, all new and renewed public ACM certificates have a default validity of 198 days (previously 395 days/13 months).
  • This change complies with the CA/Browser Forum mandate requiring certificates to be no longer than 200 days starting March 15, 2026.
  • Existing certificates with 395-day validity continue to be valid until they renew or expire.
  • ACM continues to auto-renew certificates before expiry — renewal is attempted 45 days before expiration.
  • The CA/Browser Forum has approved further reductions: 47-day certificate lifetimes will phase in by March 2029.
  • Exportable public certificates retain a 395-day validity period.

ACM Domain Validation Methods

  • DNS Validation — ACM uses CNAME records to validate domain ownership. Supports automatic renewal and is recommended for domains hosted in Route 53.
  • Email Validation — ACM sends validation emails to registered domain contacts. Requires manual action for each renewal.
  • HTTP Validation (Apr 2025) — Available for certificates used with CloudFront. Uses HTTP redirects to prove domain ownership and supports automatic renewal similar to DNS validation. Does not support wildcard certificates.

ACM Exportable Public Certificates

  • Launched in June 2025, ACM now supports exportable public SSL/TLS certificates that can be used on any workload — including EC2 instances, containers, on-premises hosts, and non-AWS environments.
  • You can export the certificate along with its private key for deployment anywhere.
  • Exportable public certificates are valid for 395 days.
  • ACM automatically renews exportable certificates 45 days before expiration.
  • Pricing: $15 per fully qualified domain name (FQDN), $149 per wildcard name.
  • Certificates created prior to June 17, 2025 cannot be exported.
  • This eliminates the previous limitation that ACM certificates could only be used with integrated AWS services.

AWS Workload Credentials Provider

  • Launched in June 2026, AWS Workload Credentials Provider is a lightweight client-side tool that automates the deployment of exported ACM certificates.
  • It periodically retrieves certificates and their private keys, writes them to configured paths, and optionally runs a command to reload dependent services (e.g., web servers).
  • Works across both AWS and non-AWS workloads.
  • Also supports local caching of secrets from AWS Secrets Manager.
  • Eliminates the need for manual certificate deployment after ACM renewal.

ACM Integrated Services

  • Elastic Load Balancing (ELB) — Deploy ACM certificates on Application, Network, and Classic Load Balancers.
  • Amazon CloudFront — Deploy ACM certificates on CloudFront distributions. Certificate must be requested/imported in US East (N. Virginia) region.
  • Amazon API Gateway — Use ACM certificates for custom domain names.
  • Amazon Elastic Kubernetes Service (EKS) — Use ACM with AWS Controllers for Kubernetes (ACK) to issue and export TLS certificates to Kubernetes workloads (Dec 2025).
  • Amazon Cognito — Use ACM certificates for custom domains.
  • AWS Elastic Beanstalk — Deploy ACM certificates on Elastic Beanstalk environments.
  • AWS Nitro Enclaves — Public ACM certificates can be installed on EC2 instances connected to Nitro Enclaves.
  • AWS CloudFormation — ACM certificates can be provisioned as CloudFormation template resources.
  • AWS Amplify — When connecting a custom domain, Amplify issues an ACM certificate automatically.
  • Amazon OpenSearch Service — Use ACM certificates with custom domain endpoints.
  • AWS Network Firewall — ACM certificates for TLS inspection (decryption and re-encryption).
  • AWS App Runner — Use ACM certificates for custom domains.

ACM Post-Quantum TLS Support

  • As of April 2025, ACM endpoints support ML-KEM (Module-Lattice-Based Key-Encapsulation Mechanism) for hybrid post-quantum key agreement.
  • This protects against “harvest now, decrypt later” attacks where encrypted traffic is stored for future decryption by quantum computers.
  • Hybrid post-quantum TLS combines ML-KEM with traditional key exchange methods for defense-in-depth.
  • AWS plans to deploy ML-KEM support to all AWS services with HTTPS endpoints over time.

ACM Certificate Authority Changes

  • Starting August 2024, public certificates issued from ACM terminate at the Starfield Services G2 root (previously cross-signed with Starfield Class 2).
  • This change aligns with AWS’s move to its own certificate authority infrastructure.
  • As of June 11, 2025, ACM no longer issues certificates with the “TLS Web Client Authentication” (clientAuth) Extended Key Usage (EKU) to align with Chrome Root Program requirements.
  • Customers using ACM certificates for mutual TLS (mTLS) client authentication should use AWS Private CA certificates instead.

ACM Limitations

  • Does not provide certificates for anything other than the SSL/TLS protocols.
  • Cannot use certificates for email encryption.
  • Cannot request certificates for Amazon-owned domain names such as those ending in amazonaws.com, cloudfront.net, or elasticbeanstalk.com.
  • Cannot download the private key for a non-exportable ACM certificate (certificates created before June 17, 2025).
  • Cannot directly install non-exportable certificates on EC2 instances (unless connected to Nitro Enclaves or using exportable certificates).
  • ACM certificates are regional resources — you cannot copy a certificate between regions. To use a certificate with ELB for the same FQDN in more than one region, you must request or import a certificate for each region.
  • With CloudFront, you must request or import the certificate in the US East (N. Virginia) region.
  • ACM no longer issues certificates with clientAuth EKU — use AWS Private CA for mTLS client certificates.
  • HTTP validation does not support wildcard certificates.

AWS Private Certificate Authority (AWS Private CA)

  • AWS Private CA (previously ACM Private Certificate Authority) is a managed private CA service for creating and maintaining internal PKI.
  • Enables issuance of private certificates for internal resources without the overhead of managing your own CA.
  • Secured with AWS-managed hardware security modules (HSMs).
  • Supports short-lived certificates, certificate revocation lists (CRLs), and OCSP.
  • Integrated with ACM for certificate lifecycle management.
  • Use AWS Private CA for mTLS client authentication, IoT device certificates, and internal service mesh communication.

AWS Certification Exam Practice Questions

  • Questions are collected from Internet and the answers are marked as per my knowledge and understanding (which might differ with yours).
  • AWS services are updated everyday and both the answers and questions might be outdated soon, so research accordingly.
  • AWS exam questions are not updated to keep up the pace with AWS updates, so even if the underlying feature has changed the question might not be updated
  • Open to further feedback, discussion and correction.
  1. A company hosts an online shopping portal in the AWS Cloud. The portal provides HTTPS security by using a TLS certificate on an ELB. Recently, the portal suffered an outage because the TLS certificate expired. A SysOps administrator must create a solution to automatically renew certificates to avoid this issue in the future. What is the MOST operationally efficient solution that meets these requirements?
    1. Request a public certificate by using AWS Certificate Manager. Associate the certificate from ACM with the ELB. Write a scheduled AWS Lambda function to renew the certificate every 18 months.
    2. Request a public certificate by using AWS Certificate Manager. Associate the certificate from ACM with the ELB. ACM will automatically manage the renewal of the certificate.
    3. Register a certificate with a third-party certificate authority (CA). Import this certificate into AWS Certificate Manager. Associate the certificate from ACM with the ELB. ACM will automatically manage the renewal of the certificate.
    4. Register a certificate with a third-party certificate authority (CA). Configure the ELB to import the certificate directly from the CA. Set the certificate refresh cycle on the ELB to refresh when the certificate is within 3 months of the expiration date.
  2. A company needs to deploy TLS certificates on multiple EC2 instances running web servers that are NOT behind a load balancer. The security team wants to use ACM to manage the certificates centrally. What is the recommended approach?
    1. Import third-party certificates into ACM and manually install them on EC2 instances.
    2. Use ACM certificates with Nitro Enclaves on each EC2 instance.
    3. Request exportable public certificates from ACM and use AWS Workload Credentials Provider to automate deployment.
    4. Install certificates directly from the ACM console onto EC2 instances.
  3. A company is migrating to shorter TLS certificate lifetimes. They currently use ACM-managed certificates with CloudFront and want to ensure zero downtime during certificate renewals. Which domain validation method should they choose? (Select TWO)
    1. DNS validation with CNAME records in Route 53
    2. Email validation with manual approval
    3. HTTP validation for CloudFront distributions
    4. Import certificates manually before expiration
    5. Use AWS Private CA for public-facing websites
  4. A company needs to secure internal microservices communication using mutual TLS (mTLS). They previously used ACM public certificates with the clientAuth EKU. After June 2025, this approach no longer works. What should they use instead?
    1. Import third-party certificates with clientAuth into ACM.
    2. Use AWS Private Certificate Authority (AWS Private CA) to issue private certificates with clientAuth EKU.
    3. Request exportable public certificates from ACM for mTLS.
    4. Use self-signed certificates on each service instance.
  5. A company runs Kubernetes workloads on Amazon EKS and needs to automate TLS certificate provisioning for pod-level encryption. Which ACM feature enables this?
    1. Associate ACM certificates directly with EKS pods using IAM roles.
    2. Use AWS App Mesh for automatic certificate injection.
    3. Use ACM with AWS Controllers for Kubernetes (ACK) to issue and export certificates to Kubernetes Secrets.
    4. Deploy Nitro Enclaves on EKS worker nodes.

References