AWS Certificate Manager (ACM) is a managed service that enables you to create, store, and manage public and private SSL/ TLS X.509 certificates and keys for your AWS websites and applications. ACM enables AWS Security for websites and applications through use of trusted certificates.


Key Terms


SSL and TLS are industry standard protocols for secure communication over a network, by encrypting and decrypting the communication.

  • SSL – Secure Sockets Layer
  • TLS – Transport Layer Security
  • SSL is the predecessor to TLS, and was deprecated in 2015

X.509 is an industry standard that defines the format of Public Key Certificates.

  • X.509 is a key part of SSL / TLS.
  • An X.509 certificate contains a public key, and an identity (host / organization / individual)
  • An X509 certificate may be signed by a certificate authority, or self-signed


ACM Certificates

ACM allows creation and management of X509 certificates.

  • ACM generated certificates are valid for 13 months (395 days).
  • You can create Public and Private certificates through ACM.
    • ACM supports Domain Validated (DV) Public Certificates for use with websites and applications that terminate SSL / TLS.
    • ACM Public certificates are trusted by most modern browsers.
  • You can import 3rd party certificates into ACM.


ACM Private CA (Certificate Authority) is a service targeted towards enterprises who have a need to build Public Key Infrastructure (PKI) inside AWS for their private use.

  • Customers can create their Certificate Authority hierarchy and issue certificates for its internal use.
  • Certificates issued by private CA cannot be used on the internet.


Key Points for AWS Certificate Manager (ACM)

  • ACM is a fully managed service.
  • ACM is a Regional service – Key of each ACM certificate stays in the Region in which certificate was generated / imported.
  • ACM certificates usage can be audited through CloudTrail logs.
  • Currently ACM is well-integrated with following AWS services:
    • Elastic Load Balancer
    • CloudFront distributions
    • Elastic Beanstalk
    • API Gateway
  • ACM stores the private keys of the certificates in AWS Key Management Service (AWS KMS).



Public SSL / TLS certificates provisioned through ACM are free.

There is a charge if you create ACM Private CA

  • ACM Private CA – per month
  • Private Certificates issued – per certificate


External Resources