Reading20 min read·Module 1

AWS Certificate Manager (ACM)

Key concepts

  • Free public certificates

  • Automatic renewal

  • Integration with ELB, CloudFront

  • Private CA for internal certs

  • Certificate validation methods

Overview

AWS Certificate Manager (ACM) is a service that lets you easily provision, manage, and deploy public and private SSL/TLS certificates for use with AWS services and your internal connected resources. ACM removes the time-consuming manual process of purchasing, uploading, and renewing SSL/TLS certificates.

Understanding ACM is essential for the SAA-C03 exam because secure communication is a fundamental requirement. You must know the differences between public and private certificates, certificate validation methods, which services integrate with ACM, and the regional requirements for different services.

Free Public Certificates

ACM public certificates are FREE and automatically renew. ACM certificates cannot be exported from AWS - they can only be used with ACM-integrated services.

Exam Tip

Focus on certificate validation methods, regional requirements (especially CloudFront requiring us-east-1), ACM integration points, and when to use AWS Private CA vs public certificates.


Key Concepts

Certificate Types

ACM Certificate Types
Figure 1: Public vs Private certificates serve different use cases

Certificate Types

ACM offers two types of certificates for different use cases:

Public vs Private Certificates

FeaturePublic CertificatesPrivate Certificates
Issued ByAmazon Trust ServicesAWS Private CA
CostFREE$400/month (CA) + $0.75/cert
ValidationDomain validated (DV)No validation required
TrustPublicly trustedTrusted within your org
Use CasePublic websites, APIsInternal apps, IoT, microservices
ExportNoYes (with Private CA)
Validity13 monthsConfigurable

Certificate Validation Methods

Before issuing a public certificate, ACM must verify you own or control the domain:

Validation Methods

TEXTValidation Methods Comparison
DNS VALIDATION (Recommended):
├── Add CNAME record to DNS
├── Record format: _xxx.domain.com → _xxx.acm-validations.aws
├── Automatic renewal works
├── One-time setup
└── Best for: Production, automated environments

EMAIL VALIDATION:
├── Emails sent to domain contacts
├── admin@domain.com, hostmaster@domain.com, etc.
├── Requires manual response for renewal
├── Cannot be automated
└── Best for: Legacy, one-time certificates
DNS Validation for Production

Always use DNS validation for production certificates to enable automatic renewal.

ACM Certificate Contents

TEXTACM Certificate Fields
Domain Names:
├── Primary domain: example.com
├── Subject Alternative Names (SANs):
│   ├── www.example.com
│   ├── api.example.com
│   └── *.example.com (wildcard)
└── Maximum: 10 domain names per certificate

Certificate Details:
├── Serial Number: Unique identifier
├── Validity: Not Before / Not After dates
├── Signature Algorithm: SHA-256 with RSA
├── Public Key: RSA 2048-bit
├── Key Usage: Digital Signature, Key Encipherment
└── Extended Key Usage: TLS Web Server Authentication

Wildcard Certificates

Wildcard Certificate Behavior

TEXTWildcard Certificate Behavior
Certificate: *.example.com

COVERS:
├── www.example.com      ✓
├── api.example.com      ✓
├── app.example.com      ✓
└── any.example.com      ✓

DOES NOT COVER:
├── example.com          ✗ (apex domain)
├── sub.api.example.com  ✗ (two levels deep)
└── sub.www.example.com  ✗ (two levels deep)

Solution for apex + wildcard:
Request certificate with both:
├── example.com
└── *.example.com

How It Works

Certificate Lifecycle

ACM Certificate Lifecycle
Figure 2: ACM manages the complete certificate lifecycle automatically

Certificate States

TEXTCertificate States
1. PENDING_VALIDATION
   └── Waiting for DNS/email validation

2. ISSUED
   └── Certificate is active and ready to use

3. INACTIVE
   └── Imported certificate not attached to any resource

4. EXPIRED
   └── Certificate validity period ended

5. REVOKED
   └── Certificate was revoked (cannot be undone)

6. FAILED
   └── Validation failed or other error

Renewal Timeline:
├── 60 days before expiry: ACM attempts renewal
├── Renewal requires: DNS validation record still present
├── 45 days: Email notification if renewal failing
├── 30 days: Urgent notification
└── Expiry: Certificate stops working

ACM Integration Architecture

ACM Integration Architecture
Figure 3: ACM integrates with AWS services at different network layers

Integrated Services:

ACM-Integrated Services

ServiceRegion RequirementNotes
CloudFrontus-east-1 ONLYGlobal distribution
ALBSame regionRegional service
NLBSame regionTLS passthrough or termination
API GatewaySame regionREST/HTTP APIs
Elastic BeanstalkSame regionVia load balancer
CloudFormationSame regionInfrastructure as code
AWS AmplifySame regionWeb app hosting
App RunnerSame regionContainer apps

Regional Considerations

CloudFront Region Requirement

CloudFront certificates MUST be in us-east-1 (N. Virginia). This is a critical exam topic.

TEXTACM Regional Requirements
CLOUDFRONT (GLOBAL):
└── Certificates MUST be in us-east-1
    Why: CloudFront is a global service; uses N. Virginia for control plane

REGIONAL SERVICES (ALB, API Gateway, etc.):
└── Certificates MUST be in SAME region as the service

MULTI-REGION DEPLOYMENT:
Example: ALB in us-east-1 and eu-west-1
├── Request cert in us-east-1 for us-east-1 ALB
└── Request separate cert in eu-west-1 for eu-west-1 ALB
    (Same domain, different regional certificates)

CLOUDFRONT + ALB BEHIND:
├── CloudFront cert: us-east-1
└── ALB cert: Whatever region ALB is in (origin)

AWS Private CA

AWS Private Certificate Authority is for issuing private certificates for internal resources:

When to Use Private CA

Private CA Use Cases
Figure 4: Private CA for internal trust without public exposure

Public ACM vs Private CA

Use CasePublic ACMPrivate CA
Public websiteYesNo
Internal microservicesNoYes
IoT devicesNoYes
EC2 instancesNo*Yes
mTLS authenticationNoYes
Code signingNoYes

*ACM cannot export certificates for EC2; use Private CA or import certificates.

Private CA Hierarchy

Certificate Hierarchy

TEXTCertificate Hierarchy
Recommended Structure:

Root CA (offline when not signing)
    └── Validity: 10-20 years
    └── Usage: Sign subordinate CAs only

    ├── Subordinate CA (Production)
    │   └── Validity: 3-5 years
    │   └── Signs end-entity certificates
    │
    └── Subordinate CA (Development)
        └── Validity: 1-3 years
        └── Signs dev/test certificates

End-Entity Certificates:
└── Validity: 1 year or less
└── Issued to servers, clients, devices

Private CA Modes

Private CA Modes

ModeCostCertificatesUse Case
General Purpose$400/monthUnlimitedProduction workloads
Short-Lived$50/monthValid < 7 daysEphemeral containers, CI/CD

Use Cases

Use Case 1: Public Website with Custom Domain

Scenario: Deploy a public website with HTTPS on a custom domain.

ACM Public Website
Figure 5: Free ACM certificate for public-facing applications

Solution:

  1. Request public certificate for example.com and www.example.com
  2. Use DNS validation (add CNAME record)
  3. Attach to CloudFront distribution or ALB
  4. Configure HTTP to HTTPS redirect
  5. Cost: FREE (ACM public certificates)

Use Case 2: Multi-Region API Gateway

Scenario: REST API deployed in multiple regions with custom domain.

Solution:

  1. Request certificate in each region:
    • api.example.com in us-east-1
    • api.example.com in eu-west-1
  2. Use DNS validation (same CNAME works for all)
  3. Attach to regional API Gateway custom domains
  4. Use Route 53 latency routing for regional endpoints

Use Case 3: Internal Microservices with mTLS

Scenario: Microservices require mutual TLS authentication.

Solution:

  1. Deploy AWS Private CA
  2. Issue server and client certificates
  3. Configure services to require client certificates
  4. Implement certificate rotation via ACM
SHRequest Private Certificate
# Request private certificate from Private CA
aws acm-pca issue-certificate \
  --certificate-authority-arn arn:aws:acm-pca:region:account:certificate-authority/xxx \
  --csr fileb://csr.pem \
  --signing-algorithm SHA256WITHRSA \
  --validity Value=365,Type=DAYS

Use Case 4: TLS on EC2 Instances

Scenario: EC2 instances need TLS certificates (not behind load balancer).

Solution:

  • Option A: AWS Private CA

    • Issue private certificates
    • Export and install on EC2
    • Automate rotation with SSM
  • Option B: Import third-party certificate

    • Purchase from CA (DigiCert, Let's Encrypt, etc.)
    • Import into ACM for management
    • Re-import when renewed

Note: ACM public certificates cannot be exported or used directly on EC2.


Best Practices

Certificate Management

  1. Always use DNS validation

    • Enables automatic renewal
    • Keep CNAME records permanently
    • Works across multiple certificates
  2. Request certificates in correct region

    • CloudFront: us-east-1
    • Regional services: same region
    • Plan before deployment
  3. Use wildcards appropriately

    • Consider security implications
    • Include apex domain explicitly
    • *.example.com + example.com
  4. Monitor certificate expiration

    • CloudWatch alarms for ACM events
    • AWS Config rule: acm-certificate-expiration-check
    • Set up notifications at 45 days

Security Best Practices

  1. Minimum TLS version

    • Configure TLS 1.2 minimum on services
    • Use TLS 1.3 where supported
    • Avoid deprecated cipher suites
  2. HTTPS everywhere

    • Redirect HTTP to HTTPS
    • Enable HSTS headers
    • Use preload lists for critical domains
  3. Private CA security

    • Protect root CA (offline when possible)
    • Use separate CAs per environment
    • Short validity for end-entity certs
  4. Certificate transparency

    • Public certificates are logged to CT logs
    • Monitor for unauthorized certificates
    • AWS publishes to CT by default

Operational Best Practices

  1. Automate certificate provisioning

    • Use CloudFormation/CDK for ACM resources
    • Automate DNS validation records
    • Infrastructure as code
  2. Test certificate renewal

    • Verify DNS records are in place
    • Test before 60-day renewal window
    • Document recovery procedures
  3. Plan for certificate replacement

    • Use key aliases and abstractions
    • Document all certificate dependencies
    • Test rotation in non-production

Common Exam Scenarios

Exam Scenarios

ScenarioSolutionWhy
CloudFront custom domain HTTPSACM certificate in us-east-1CloudFront only uses N. Virginia certs
ALB in eu-west-1 needs HTTPSACM certificate in eu-west-1Regional service = regional cert
Multiple domains on one ALBSNI with multiple certificatesALB supports up to 25 certs with SNI
Certificate needs to work in 48 hoursDNS validationFaster than email; immediate with low TTL
Auto-renewal stopped workingCheck DNS validation CNAME existsRenewal requires validation record
EC2 needs TLS certificatePrivate CA or import certificateACM public certs cant export to EC2
mTLS for microservicesAWS Private CAIssues client and server certificates
Free HTTPS for public websiteACM public certificateFree with automatic renewal

Common Pitfalls

Pitfall 1: Wrong Region for CloudFront

Mistake: Requesting ACM certificate in same region as origin for CloudFront.

Why it fails: CloudFront only uses certificates from us-east-1

Correct Approach: Always request CloudFront certificates in us-east-1

Pitfall 2: Email Validation for Production

Mistake: Using email validation for production certificates.

Why it fails: Requires manual intervention for renewal; may miss emails

Correct Approach: Always use DNS validation for automatic renewal

Pitfall 3: Expecting ACM on EC2

Mistake: Planning to use ACM public certificates on EC2 instances.

Why it fails: ACM certificates cannot be exported; only work with integrated services

Correct Approach: Use Private CA, imported certificates, or ALB termination

Pitfall 4: Deleting DNS Validation Record

Mistake: Removing DNS CNAME after certificate is issued.

Why it fails: Automatic renewal will fail at 60 days before expiry

Correct Approach: Keep validation CNAME records permanently

Pitfall 5: Wildcard Coverage Assumption

Mistake: Assuming *.example.com covers example.com and subdomains of subdomains.

Why it fails: Wildcards only cover one level; don't cover apex

Correct Approach: Request both example.com and *.example.com



Quick Reference

ACM Limits

ACM Limits

ResourceDefault Limit
Certificates per region2,500
Domain names per certificate10
Imported certificates per region2,500
Private CAs per account200

ACM Pricing

ACM Pricing

ComponentCost
Public certificatesFREE
Private CA (General Purpose)$400/month
Private CA (Short-Lived)$50/month
Private certificates$0.75/cert/month
Imported certificatesFREE (management only)

Certificate Validity

Certificate Validity

TypeValidity Period
ACM Public13 months (auto-renew at 60 days)
ACM PrivateConfigurable (up to 10 years)
ImportedDepends on original certificate

CLI Commands

SHACM CLI Commands
# Request public certificate
aws acm request-certificate \
  --domain-name example.com \
  --subject-alternative-names www.example.com \
  --validation-method DNS \
  --region us-east-1

# List certificates
aws acm list-certificates \
  --certificate-statuses ISSUED

# Get certificate details
aws acm describe-certificate \
  --certificate-arn arn:aws:acm:region:account:certificate/xxx

# Get DNS validation records
aws acm describe-certificate \
  --certificate-arn arn:aws:acm:region:account:certificate/xxx \
  --query "Certificate.DomainValidationOptions"

# Import certificate
aws acm import-certificate \
  --certificate fileb://cert.pem \
  --private-key fileb://key.pem \
  --certificate-chain fileb://chain.pem

Test Your Knowledge

Q

A company needs an SSL certificate for their CloudFront distribution using a custom domain. In which region must the ACM certificate be requested?

AThe same region as the S3 origin
BAny region closest to users
Cus-east-1 (N. Virginia)
Deu-west-1 (Ireland)
Q

Which ACM validation method supports automatic certificate renewal?

AEmail validation
BDNS validation
CBoth methods support auto-renewal
DNeither - renewal is always manual
Q

A company needs TLS certificates for EC2 instances that are not behind a load balancer. What is the correct approach?

AExport ACM public certificate and install on EC2
BACM certificates work automatically on EC2
CUse AWS Private CA or import third-party certificates
DUse Systems Manager to deploy ACM certificates
Q

What happens if the DNS validation CNAME record is deleted after an ACM certificate is issued?

ANothing - certificate continues to work
BCertificate is immediately revoked
CAutomatic renewal will fail
DCertificate becomes invalid within 24 hours

Further Reading

Related services

ACMELBCloudFrontAPI Gateway