This chapter covers AWS Certificate Manager (ACM), a service that simplifies the provisioning, management, and deployment of SSL/TLS certificates for use with AWS services. For the SAA-C03 exam, ACM is a core topic within Secure Architectures (Domain 1, Objective 1.3), appearing in approximately 5-8% of questions. You must understand how ACM works, its integration with other AWS services, certificate renewal behavior, and when to use public versus private certificates.
Jump to a section
ACM is like a high-security document vault in a corporate headquarters. The vault itself is managed by a trusted security team (AWS) that ensures it meets strict standards (compliance). Inside the vault, you store your most sensitive documents — SSL/TLS certificates — which contain your public keys and identity information. When you need to use a certificate for a service (like an HTTPS website), you don't take the original out; instead, you ask the vault to create a secure copy and deliver it directly to the authorized service (e.g., a load balancer). The vault handles all the logistics: it can automatically renew certificates before they expire (auto-renewal), it can import certificates you obtained elsewhere (import), and it integrates with other building services (AWS services like CloudFront, ELB, API Gateway). The vault never exposes the private key to you — you only get the certificate and the public key. If a certificate is compromised, you can revoke it immediately, and the vault will notify all services using it. The vault also provides a dashboard (AWS Console/API) to see all certificates, their status, and renewal dates. This analogy maps directly to ACM: ACM manages certificate lifecycle, integrates with AWS services, handles private keys securely, and provides automatic renewal for certificates issued by ACM.
What is AWS Certificate Manager (ACM)?
AWS Certificate Manager (ACM) is a service that lets you provision, manage, and deploy public and private SSL/TLS certificates for use with AWS services and your internal connected resources. ACM eliminates the time-consuming manual process of purchasing, uploading, and renewing certificates. You can request a certificate directly from ACM, or import your own certificates from third-party CAs.
ACM handles the entire certificate lifecycle: request, validation, issuance, renewal, and revocation. It integrates seamlessly with Elastic Load Balancers (ALB/NLB), Amazon CloudFront distributions, Amazon API Gateway, AWS Elastic Beanstalk, AWS CloudFormation, and AWS Nitro Enclaves. For public certificates, ACM provides automatic renewal as long as the certificate is in use by an integrated service.
How ACM Works Internally
When you request a public certificate via ACM, ACM acts as a certificate authority (CA) itself. The process involves:
Certificate Request: You specify the domain name(s) (FQDN) you want to secure. You can request a certificate for a single domain like example.com, a wildcard like *.example.com, or multiple domain names (SANs).
2. Validation: ACM must validate that you control the domain(s). There are two methods: - DNS validation: You add a CNAME record provided by ACM to your DNS configuration. ACM checks for this record to prove domain ownership. - Email validation: ACM sends validation emails to the three WHOIS-registered contacts (registrant, admin, tech) plus common administrative addresses (admin@, administrator@, hostmaster@, postmaster@, webmaster@) for each domain. You must click a link in the email.
Issuance: Once validated, ACM issues the certificate. The certificate is signed by the Amazon CA (e.g., Amazon RSA 2048 M02). The private key is generated by ACM and stored securely using AWS Key Management Service (KMS). ACM never exposes the private key to you.
Deployment: You associate the certificate with an integrated AWS service (e.g., an ALB listener on port 443). ACM pushes the certificate and private key to the service securely.
Automatic Renewal: ACM automatically renews public certificates 60 days before expiration. Renewal is only possible if the certificate is associated with an integrated service. ACM re-validates domain ownership using the same method as the original request. If validation fails, ACM sends CloudWatch events and the certificate expires.
Key Components, Values, and Defaults
- Certificate Types: - Public certificates: Issued by Amazon's public CA, trusted by browsers. Free of charge. - Private certificates: Issued by a private CA (ACM Private CA). Used internally within an organization. You pay for the CA and each certificate. - Imported certificates: Certificates from third-party CAs (e.g., DigiCert, Let's Encrypt). You manage renewal manually.
Domain Validation:
- DNS validation is recommended for automation. The CNAME record format: _<random>.<domain> CNAME <random>.acm-validations.aws.
- Email validation sends to 8 possible addresses per domain.
Renewal:
Automatic renewal attempts start 60 days before expiration.
If the certificate is not associated with a service, ACM does NOT renew it. You must redeploy the certificate.
If validation fails during renewal, ACM retries for 45 days. After that, the certificate expires.
Integration:
ACM certificates can be associated with: ALB, NLB (TLS listener), CloudFront, API Gateway (custom domain), Elastic Beanstalk, CloudFormation.
For CloudFront, you must request the certificate in the US East (N. Virginia) region (us-east-1). This is a common exam trap.
Private CA:
ACM Private CA allows you to create a private CA hierarchy.
You can issue certificates for internal resources (e.g., internal load balancers, EC2 instances).
Private certificates are not trusted by public browsers.
Limits:
Default limit: 2,500 certificates per region (soft limit, can be increased).
Certificate key sizes: 2048-bit RSA (default), 4096-bit RSA, or Elliptic Curve (EC_prime256v1, EC_secp384r1).
Configuration and Verification
To request a certificate via AWS CLI:
aws acm request-certificate --domain-name example.com --validation-method DNS --region us-east-1To describe a certificate:
aws acm describe-certificate --certificate-arn arn:aws:acm:us-east-1:123456789012:certificate/12345678-1234-1234-1234-123456789012To list certificates:
aws acm list-certificates --certificate-statuses ISSUEDTo associate a certificate with an ALB (via AWS CLI):
aws elbv2 create-listener --load-balancer-arn <lb-arn> --protocol HTTPS --port 443 --certificates CertificateArn=<cert-arn> --default-actions Type=forward,TargetGroupArn=<tg-arn>Interaction with Related Technologies
AWS WAF: ACM certificates can be used with ALB and CloudFront to enable HTTPS. WAF can then inspect traffic.
AWS Shield: Provides DDoS protection for services using ACM certificates.
AWS CloudTrail: Logs ACM API calls for auditing.
Amazon Route 53: Often used with DNS validation; Route 53 can automate adding the CNAME record.
AWS Config: Can monitor ACM certificate expiration and compliance.
AWS KMS: ACM uses KMS to encrypt private keys at rest.
Exam-Specific Details
ACM certificates are free for public certificates issued by Amazon.
You cannot download the private key for ACM-issued certificates.
To use ACM with CloudFront, the certificate must be in us-east-1.
ACM does not support wildcard certificates for API Gateway (must use exact domain).
ACM can issue certificates for bare domains (e.g., example.com) and wildcards (e.g., *.example.com) in the same request.
For imported certificates, you must renew them manually before expiration; ACM does not auto-renew.
ACM supports RSA 2048, RSA 4096, and EC keys.
DNS validation is preferred for automation; email validation requires manual steps.
ACM can issue certificates for multiple domains in a single request (up to 10 domain names).
If you use a private CA, you can issue certificates for IP addresses (public certificates only support domain names).
Request a public certificate
Navigate to ACM in the AWS Console, click 'Request a certificate', choose 'Request a public certificate'. Enter the fully qualified domain name (FQDN) such as 'example.com' or a wildcard '*.example.com'. You can add additional names (SANs). Select the validation method: DNS validation is recommended for automation. Optionally add tags. Click 'Request'. The certificate enters 'Pending validation' state.
Validate domain ownership
If using DNS validation, ACM provides a CNAME record. You must add this record to your DNS zone (e.g., in Route 53). ACM periodically checks for the presence of this record. Propagation can take a few minutes to hours. Once the record is detected, the certificate status changes to 'Issued'. If using email validation, ACM sends emails to the domain's registered contacts. You must click the approval link within 72 hours. If validation fails, the certificate remains in pending state and expires after 72 hours.
Associate certificate with AWS service
Once the certificate is issued, you can associate it with an integrated service. For example, in an ALB, you create an HTTPS listener on port 443 and select the ACM certificate from the dropdown. ACM securely pushes the certificate and private key to the service. The service then uses this certificate for TLS termination. You can also use the same certificate with multiple services (e.g., multiple ALBs) as long as they are in the same region (except CloudFront which requires us-east-1).
Automatic renewal (if applicable)
For ACM-issued public certificates that are associated with an integrated service, ACM automatically attempts to renew the certificate 60 days before expiration. ACM re-validates domain ownership using the original validation method. If DNS validation was used and the CNAME record is still present, renewal succeeds automatically. If email validation was used, ACM sends new validation emails. If renewal fails, ACM retries for 45 days. If still failing, the certificate expires. You receive CloudWatch events for renewal failures.
Monitor and manage certificates
Use ACM console, CLI, or API to list certificates, view status, and check expiration dates. CloudWatch Events and AWS Config can alert on certificate expiration. For imported certificates, you must track expiration dates and renew manually by importing a new certificate before the old one expires. ACM does not send expiration reminders for imported certificates. You can also revoke certificates using the console if compromised.
Enterprise Scenario 1: E-Commerce Platform with Global Distribution
A large e-commerce company uses CloudFront as a CDN with an ALB backend. They need SSL/TLS certificates for multiple domains (e.g., store.example.com, checkout.example.com) and a wildcard for static assets (*.cdn.example.com). They use ACM to request public certificates in us-east-1 for CloudFront and in the ALB's region (eu-west-1) for the load balancer. DNS validation is automated via Route 53 using Terraform. ACM automatically renews certificates, ensuring no downtime. Performance: ACM certificate association with CloudFront takes effect within minutes. The company monitors certificate expiration using AWS Config rules and receives alerts 30 days before expiry. A misconfiguration occurred when a developer requested the CloudFront certificate in eu-west-1 instead of us-east-1, causing the certificate to not appear in the CloudFront dropdown. This is a common exam scenario.
Enterprise Scenario 2: Internal Enterprise Application
A financial services company uses ACM Private CA to issue certificates for internal services, such as an internal load balancer for a microservices architecture. They create a private CA hierarchy with a root CA and subordinate CAs. The root CA is kept offline in a secure S3 bucket with versioning and MFA delete. Subordinate CAs are online and issue certificates to internal ALBs. The company issues certificates for internal DNS names (e.g., app.internal.example.com) and even for IP addresses. They use AWS CLI and CloudFormation to automate certificate issuance. A common issue: if the private CA's certificate expires, all certificates issued by it become invalid. The company uses CloudWatch Events to alert on CA expiration and rotates the CA before expiry.
Enterprise Scenario 3: SaaS Provider with BYOC (Bring Your Own Certificate)
A SaaS provider allows customers to use their own SSL certificates from third-party CAs. Customers import their certificates into ACM. The provider uses ACM to store and deploy these certificates to the customer's dedicated ALB. ACM handles the storage and association, but the customer is responsible for renewal. The provider uses AWS Config to track certificate expiration and notifies customers 60 days before expiry. A problem arises when customers upload certificates with mismatched private keys or invalid chains. ACM validates the certificate chain upon import and rejects invalid ones. The provider uses ACM's import-certificate CLI command to automate bulk imports.
SAA-C03 Exam Focus on ACM
ACM is tested under Secure Architectures (Domain 1, Objective 1.3: 'Design secure access to AWS resources'). Exam questions typically involve:
Choosing between public and private certificates.
Understanding where to request certificates for CloudFront (must be us-east-1).
Knowing that ACM automatically renews public certificates only if they are associated with an AWS service.
Recognizing that you cannot export private keys from ACM.
Differentiating between DNS and email validation.
Understanding that imported certificates require manual renewal.
Common Wrong Answers and Why Candidates Choose Them
1. Wrong: 'ACM can be used to issue certificates for EC2 instances directly.' Why wrong: ACM does not integrate directly with EC2. You must use a load balancer or CloudFront. Candidates confuse ACM with other certificate management tools.
2. Wrong: 'ACM certificates can be downloaded and installed on any server.' Why wrong: ACM does not allow you to download the private key. The certificate can only be used with integrated AWS services. Candidates think of traditional certificate management.
3. Wrong: 'ACM automatically renews all certificates, including imported ones.' Why wrong: Automatic renewal only applies to certificates issued by ACM public CA. Imported certificates must be renewed manually. Candidates overlook the distinction.
4. Wrong: 'You can request a certificate in any region for CloudFront.' Why wrong: CloudFront requires certificates to be in us-east-1. This is a frequent exam trap. Candidates might think any region works.
Specific Exam Values and Terms
Default renewal period: 60 days before expiration.
DNS validation CNAME prefix: underscore (_).
Email validation sends to 8 addresses.
CloudFront requires us-east-1.
Private CA supports IP addresses; public CA does not.
ACM supports RSA 2048, 4096, and EC keys.
Maximum 10 domain names per certificate.
Default limit: 2,500 certificates per region.
Edge Cases and Exceptions
If a certificate is not associated with any service, ACM will not renew it.
If DNS validation fails during renewal, ACM retries for 45 days.
For wildcard certificates, validation must cover the apex domain (e.g., example.com for *.example.com).
ACM does not support certificates for localhost or IP addresses in public certificates.
You can request a certificate for a domain you control even if it is not hosted in Route 53.
How to Eliminate Wrong Answers
If the question involves CloudFront, always consider the us-east-1 region requirement.
If the question mentions 'automatic renewal', check if the certificate is ACM-issued and associated with a service.
If the question asks about 'private key export', the answer is 'not possible' for ACM-issued certificates.
If the question involves 'internal resources', consider ACM Private CA.
ACM public certificates are free and automatically renewed when associated with an integrated AWS service.
CloudFront requires ACM certificates to be requested in the US East (N. Virginia) region (us-east-1).
You cannot download the private key of an ACM-issued certificate.
Imported certificates must be manually renewed; ACM does not auto-renew them.
ACM supports RSA 2048, RSA 4096, and EC (P-256, P-384) key algorithms.
DNS validation is preferred over email validation for automation.
ACM Private CA can issue certificates for internal resources, including IP addresses.
ACM can issue certificates with up to 10 domain names (SANs) in a single request.
If a certificate is not associated with any service, ACM will not renew it automatically.
ACM integrates with ALB, NLB, CloudFront, API Gateway, Elastic Beanstalk, CloudFormation, and Nitro Enclaves.
These come up on the exam all the time. Here's how to tell them apart.
ACM Public Certificate
Issued by Amazon's public CA, trusted by browsers.
Free of charge.
Automatic renewal if associated with a service.
Cannot be used for IP addresses.
Must be validated via DNS or email.
ACM Private Certificate
Issued by your own private CA (ACM Private CA).
You pay for the CA and each certificate.
No automatic renewal; you manage lifecycle.
Can be used for IP addresses and internal DNS names.
Validation is not required; you control the CA.
Mistake
ACM certificates can be used on any AWS service, including EC2 instances directly.
Correct
ACM certificates can only be deployed to integrated AWS services: ALB, NLB, CloudFront, API Gateway, Elastic Beanstalk, CloudFormation, and Nitro Enclaves. They cannot be installed directly on EC2 instances or on-premises servers.
Mistake
ACM automatically renews all certificates, including imported ones.
Correct
Automatic renewal only applies to public certificates issued by ACM. Imported certificates must be manually renewed before expiration. ACM does not manage their lifecycle.
Mistake
You can download the private key for an ACM-issued certificate.
Correct
ACM does not expose the private key. It is securely stored using AWS KMS and can only be used by integrated services. You cannot export it.
Mistake
ACM public certificates are not free; you pay per certificate per month.
Correct
Public certificates issued by ACM are free of charge. You only pay for private certificates via ACM Private CA and for any resources (like load balancers) that use them.
Mistake
ACM supports both public and private certificates for any use case, including mobile apps.
Correct
While ACM supports both, public certificates are trusted by browsers. Private certificates are not trusted by public clients unless you distribute the private CA root certificate. For mobile apps, you typically need a public certificate or a private CA that is trusted by the device.
Reveal each answer, then mark whether you got it right. Score 60%+ to unlock the next chapter.
No, ACM certificates cannot be directly installed on EC2 instances. They must be used with integrated services like Elastic Load Balancers, CloudFront, or API Gateway. For EC2, you would need to manage certificates separately (e.g., using Let's Encrypt or uploading your own).
You must manually obtain a new certificate from your CA and import it into ACM using the console or CLI (aws acm import-certificate). ACM does not automatically renew imported certificates. You should track expiration dates and import the new certificate before the old one expires.
CloudFront only supports certificates from the US East (N. Virginia) region (us-east-1). If you requested the certificate in another region, it will not appear in the CloudFront certificate list. Request a new certificate in us-east-1 or use an existing one from that region.
Yes, ACM supports wildcard certificates. You can request a certificate for *.example.com and it will secure any subdomain. You can also include the apex domain (example.com) in the same request as a SAN.
ACM retries validation for up to 45 days. If validation continues to fail, the certificate expires. You can manually request a new certificate or fix the validation issue (e.g., ensure DNS CNAME record exists). CloudWatch events are emitted for renewal failures.
Yes, ACM supports Elliptic Curve (EC) keys: prime256v1 (P-256) and secp384r1 (P-384). You can specify the key algorithm when requesting a certificate.
For public certificates, no. ACM public certificates only support domain names. However, ACM Private CA can issue certificates for IP addresses, which is useful for internal services.
You've just covered AWS Certificate Manager (ACM) — now see how well it sticks with free SAA-C03 practice questions. Full explanations included, no account needed.
Done with this chapter?