AWS Certificate Manager (ACM)
Key concepts
Free public certificates
Automatic renewal
Integration with ELB, CloudFront
Private CA for internal certs
Certificate validation methods
Overview
AWS Certificate Manager (ACM) is a service that lets you easily provision, manage, and deploy public and private SSL/TLS certificates for use with AWS services and your internal connected resources. ACM removes the time-consuming manual process of purchasing, uploading, and renewing SSL/TLS certificates.
Understanding ACM is essential for the SAA-C03 exam because secure communication is a fundamental requirement. You must know the differences between public and private certificates, certificate validation methods, which services integrate with ACM, and the regional requirements for different services.
Free Public Certificates
ACM public certificates are FREE and automatically renew. ACM certificates cannot be exported from AWS - they can only be used with ACM-integrated services.
Focus on certificate validation methods, regional requirements (especially CloudFront requiring us-east-1), ACM integration points, and when to use AWS Private CA vs public certificates.
Key Concepts
Certificate Types

Certificate Types
ACM offers two types of certificates for different use cases:
Public vs Private Certificates
| Feature | Public Certificates | Private Certificates |
|---|---|---|
| Issued By | Amazon Trust Services | AWS Private CA |
| Cost | FREE | $400/month (CA) + $0.75/cert |
| Validation | Domain validated (DV) | No validation required |
| Trust | Publicly trusted | Trusted within your org |
| Use Case | Public websites, APIs | Internal apps, IoT, microservices |
| Export | No | Yes (with Private CA) |
| Validity | 13 months | Configurable |
Certificate Validation Methods
Before issuing a public certificate, ACM must verify you own or control the domain:
Validation Methods
DNS VALIDATION (Recommended):
├── Add CNAME record to DNS
├── Record format: _xxx.domain.com → _xxx.acm-validations.aws
├── Automatic renewal works
├── One-time setup
└── Best for: Production, automated environments
EMAIL VALIDATION:
├── Emails sent to domain contacts
├── admin@domain.com, hostmaster@domain.com, etc.
├── Requires manual response for renewal
├── Cannot be automated
└── Best for: Legacy, one-time certificatesDNS Validation for Production
Always use DNS validation for production certificates to enable automatic renewal.
ACM Certificate Contents
Domain Names:
├── Primary domain: example.com
├── Subject Alternative Names (SANs):
│ ├── www.example.com
│ ├── api.example.com
│ └── *.example.com (wildcard)
└── Maximum: 10 domain names per certificate
Certificate Details:
├── Serial Number: Unique identifier
├── Validity: Not Before / Not After dates
├── Signature Algorithm: SHA-256 with RSA
├── Public Key: RSA 2048-bit
├── Key Usage: Digital Signature, Key Encipherment
└── Extended Key Usage: TLS Web Server AuthenticationWildcard Certificates
Wildcard Certificate Behavior
Certificate: *.example.com
COVERS:
├── www.example.com ✓
├── api.example.com ✓
├── app.example.com ✓
└── any.example.com ✓
DOES NOT COVER:
├── example.com ✗ (apex domain)
├── sub.api.example.com ✗ (two levels deep)
└── sub.www.example.com ✗ (two levels deep)
Solution for apex + wildcard:
Request certificate with both:
├── example.com
└── *.example.comHow It Works
Certificate Lifecycle

Certificate States
1. PENDING_VALIDATION
└── Waiting for DNS/email validation
2. ISSUED
└── Certificate is active and ready to use
3. INACTIVE
└── Imported certificate not attached to any resource
4. EXPIRED
└── Certificate validity period ended
5. REVOKED
└── Certificate was revoked (cannot be undone)
6. FAILED
└── Validation failed or other error
Renewal Timeline:
├── 60 days before expiry: ACM attempts renewal
├── Renewal requires: DNS validation record still present
├── 45 days: Email notification if renewal failing
├── 30 days: Urgent notification
└── Expiry: Certificate stops workingACM Integration Architecture

Integrated Services:
ACM-Integrated Services
| Service | Region Requirement | Notes |
|---|---|---|
| CloudFront | us-east-1 ONLY | Global distribution |
| ALB | Same region | Regional service |
| NLB | Same region | TLS passthrough or termination |
| API Gateway | Same region | REST/HTTP APIs |
| Elastic Beanstalk | Same region | Via load balancer |
| CloudFormation | Same region | Infrastructure as code |
| AWS Amplify | Same region | Web app hosting |
| App Runner | Same region | Container apps |
Regional Considerations
CloudFront Region Requirement
CloudFront certificates MUST be in us-east-1 (N. Virginia). This is a critical exam topic.
CLOUDFRONT (GLOBAL):
└── Certificates MUST be in us-east-1
Why: CloudFront is a global service; uses N. Virginia for control plane
REGIONAL SERVICES (ALB, API Gateway, etc.):
└── Certificates MUST be in SAME region as the service
MULTI-REGION DEPLOYMENT:
Example: ALB in us-east-1 and eu-west-1
├── Request cert in us-east-1 for us-east-1 ALB
└── Request separate cert in eu-west-1 for eu-west-1 ALB
(Same domain, different regional certificates)
CLOUDFRONT + ALB BEHIND:
├── CloudFront cert: us-east-1
└── ALB cert: Whatever region ALB is in (origin)AWS Private CA
AWS Private Certificate Authority is for issuing private certificates for internal resources:
When to Use Private CA

Public ACM vs Private CA
| Use Case | Public ACM | Private CA |
|---|---|---|
| Public website | Yes | No |
| Internal microservices | No | Yes |
| IoT devices | No | Yes |
| EC2 instances | No* | Yes |
| mTLS authentication | No | Yes |
| Code signing | No | Yes |
*ACM cannot export certificates for EC2; use Private CA or import certificates.
Private CA Hierarchy
Certificate Hierarchy
Recommended Structure:
Root CA (offline when not signing)
└── Validity: 10-20 years
└── Usage: Sign subordinate CAs only
├── Subordinate CA (Production)
│ └── Validity: 3-5 years
│ └── Signs end-entity certificates
│
└── Subordinate CA (Development)
└── Validity: 1-3 years
└── Signs dev/test certificates
End-Entity Certificates:
└── Validity: 1 year or less
└── Issued to servers, clients, devicesPrivate CA Modes
Private CA Modes
| Mode | Cost | Certificates | Use Case |
|---|---|---|---|
| General Purpose | $400/month | Unlimited | Production workloads |
| Short-Lived | $50/month | Valid < 7 days | Ephemeral containers, CI/CD |
Use Cases
Use Case 1: Public Website with Custom Domain
Scenario: Deploy a public website with HTTPS on a custom domain.

Solution:
- Request public certificate for
example.comandwww.example.com - Use DNS validation (add CNAME record)
- Attach to CloudFront distribution or ALB
- Configure HTTP to HTTPS redirect
- Cost: FREE (ACM public certificates)
Use Case 2: Multi-Region API Gateway
Scenario: REST API deployed in multiple regions with custom domain.
Solution:
- Request certificate in each region:
api.example.comin us-east-1api.example.comin eu-west-1
- Use DNS validation (same CNAME works for all)
- Attach to regional API Gateway custom domains
- Use Route 53 latency routing for regional endpoints
Use Case 3: Internal Microservices with mTLS
Scenario: Microservices require mutual TLS authentication.
Solution:
- Deploy AWS Private CA
- Issue server and client certificates
- Configure services to require client certificates
- Implement certificate rotation via ACM
# Request private certificate from Private CA
aws acm-pca issue-certificate \
--certificate-authority-arn arn:aws:acm-pca:region:account:certificate-authority/xxx \
--csr fileb://csr.pem \
--signing-algorithm SHA256WITHRSA \
--validity Value=365,Type=DAYSUse Case 4: TLS on EC2 Instances
Scenario: EC2 instances need TLS certificates (not behind load balancer).
Solution:
-
Option A: AWS Private CA
- Issue private certificates
- Export and install on EC2
- Automate rotation with SSM
-
Option B: Import third-party certificate
- Purchase from CA (DigiCert, Let's Encrypt, etc.)
- Import into ACM for management
- Re-import when renewed
Note: ACM public certificates cannot be exported or used directly on EC2.
Best Practices
Certificate Management
-
Always use DNS validation
- Enables automatic renewal
- Keep CNAME records permanently
- Works across multiple certificates
-
Request certificates in correct region
- CloudFront: us-east-1
- Regional services: same region
- Plan before deployment
-
Use wildcards appropriately
- Consider security implications
- Include apex domain explicitly
*.example.com+example.com
-
Monitor certificate expiration
- CloudWatch alarms for ACM events
- AWS Config rule:
acm-certificate-expiration-check - Set up notifications at 45 days
Security Best Practices
-
Minimum TLS version
- Configure TLS 1.2 minimum on services
- Use TLS 1.3 where supported
- Avoid deprecated cipher suites
-
HTTPS everywhere
- Redirect HTTP to HTTPS
- Enable HSTS headers
- Use preload lists for critical domains
-
Private CA security
- Protect root CA (offline when possible)
- Use separate CAs per environment
- Short validity for end-entity certs
-
Certificate transparency
- Public certificates are logged to CT logs
- Monitor for unauthorized certificates
- AWS publishes to CT by default
Operational Best Practices
-
Automate certificate provisioning
- Use CloudFormation/CDK for ACM resources
- Automate DNS validation records
- Infrastructure as code
-
Test certificate renewal
- Verify DNS records are in place
- Test before 60-day renewal window
- Document recovery procedures
-
Plan for certificate replacement
- Use key aliases and abstractions
- Document all certificate dependencies
- Test rotation in non-production
Common Exam Scenarios
Exam Scenarios
| Scenario | Solution | Why |
|---|---|---|
| CloudFront custom domain HTTPS | ACM certificate in us-east-1 | CloudFront only uses N. Virginia certs |
| ALB in eu-west-1 needs HTTPS | ACM certificate in eu-west-1 | Regional service = regional cert |
| Multiple domains on one ALB | SNI with multiple certificates | ALB supports up to 25 certs with SNI |
| Certificate needs to work in 48 hours | DNS validation | Faster than email; immediate with low TTL |
| Auto-renewal stopped working | Check DNS validation CNAME exists | Renewal requires validation record |
| EC2 needs TLS certificate | Private CA or import certificate | ACM public certs cant export to EC2 |
| mTLS for microservices | AWS Private CA | Issues client and server certificates |
| Free HTTPS for public website | ACM public certificate | Free with automatic renewal |
Common Pitfalls
Pitfall 1: Wrong Region for CloudFront
Mistake: Requesting ACM certificate in same region as origin for CloudFront.
Why it fails: CloudFront only uses certificates from us-east-1
Correct Approach: Always request CloudFront certificates in us-east-1
Pitfall 2: Email Validation for Production
Mistake: Using email validation for production certificates.
Why it fails: Requires manual intervention for renewal; may miss emails
Correct Approach: Always use DNS validation for automatic renewal
Pitfall 3: Expecting ACM on EC2
Mistake: Planning to use ACM public certificates on EC2 instances.
Why it fails: ACM certificates cannot be exported; only work with integrated services
Correct Approach: Use Private CA, imported certificates, or ALB termination
Pitfall 4: Deleting DNS Validation Record
Mistake: Removing DNS CNAME after certificate is issued.
Why it fails: Automatic renewal will fail at 60 days before expiry
Correct Approach: Keep validation CNAME records permanently
Pitfall 5: Wildcard Coverage Assumption
Mistake: Assuming *.example.com covers example.com and subdomains of subdomains.
Why it fails: Wildcards only cover one level; don't cover apex
Correct Approach: Request both example.com and *.example.com
Related Services
Quick Reference
ACM Limits
ACM Limits
| Resource | Default Limit |
|---|---|
| Certificates per region | 2,500 |
| Domain names per certificate | 10 |
| Imported certificates per region | 2,500 |
| Private CAs per account | 200 |
ACM Pricing
ACM Pricing
| Component | Cost |
|---|---|
| Public certificates | FREE |
| Private CA (General Purpose) | $400/month |
| Private CA (Short-Lived) | $50/month |
| Private certificates | $0.75/cert/month |
| Imported certificates | FREE (management only) |
Certificate Validity
Certificate Validity
| Type | Validity Period |
|---|---|
| ACM Public | 13 months (auto-renew at 60 days) |
| ACM Private | Configurable (up to 10 years) |
| Imported | Depends on original certificate |
CLI Commands
# Request public certificate
aws acm request-certificate \
--domain-name example.com \
--subject-alternative-names www.example.com \
--validation-method DNS \
--region us-east-1
# List certificates
aws acm list-certificates \
--certificate-statuses ISSUED
# Get certificate details
aws acm describe-certificate \
--certificate-arn arn:aws:acm:region:account:certificate/xxx
# Get DNS validation records
aws acm describe-certificate \
--certificate-arn arn:aws:acm:region:account:certificate/xxx \
--query "Certificate.DomainValidationOptions"
# Import certificate
aws acm import-certificate \
--certificate fileb://cert.pem \
--private-key fileb://key.pem \
--certificate-chain fileb://chain.pemTest Your Knowledge
A company needs an SSL certificate for their CloudFront distribution using a custom domain. In which region must the ACM certificate be requested?
Which ACM validation method supports automatic certificate renewal?
A company needs TLS certificates for EC2 instances that are not behind a load balancer. What is the correct approach?
What happens if the DNS validation CNAME record is deleted after an ACM certificate is issued?