AWS Certificate Manager User Guide 2018 Acm Ug

User Manual:

Open the PDF directly: View PDF .
Page Count: 108 [warning: Documents this large are best viewed by clicking the View PDF Link!]

AWS Certificate Manager
Table of Contents
What Is AWS Certificate Manager?
Setting Up
Getting Started
Managed Renewal for ACM's Amazon-Issued Certificates
Importing Certificates into AWS Certificate Manager
Tagging AWS Certificate Manager Certificates
- Tag Restrictions
- Managing Tags
Authentication and Access Control
Using AWS CloudTrail
- Logging AWS Certificate Manager API Calls with AWS CloudTrail
  - ACM Information in CloudTrail
    - ACM Actions Supported in CloudTrail
  - Example: ACM Log File Entries
- Logging ACM-Related API Calls
Using the ACM API
ACM Private Key Security
Troubleshooting
Document History

AWS Certiﬁcate Manager

User Guide

Version 1.0

AWS Certiﬁcate Manager User Guide

AWS Certiﬁcate Manager: User Guide

Amazon's trademarks and trade dress may not be used in connection with any product or service that is not Amazon's, in any manner

that is likely to cause confusion among customers, or in any manner that disparages or discredits Amazon. All other trademarks not

owned by Amazon are the property of their respective owners, who may or may not be aﬃliated with, connected to, or sponsored by

Amazon.

AWS Certiﬁcate Manager User Guide

Table of Contents

What Is AWS Certiﬁcate Manager? ....................................................................................................... 1

Concepts ................................................................................................................................... 1

ACM Certiﬁcate .................................................................................................................. 2

Apex Domain ..................................................................................................................... 3

Asymmetric Key Cryptography ............................................................................................. 3

Certiﬁcate Authority ........................................................................................................... 3

Certiﬁcate Transparency Logging ......................................................................................... 4

Domain Name System ........................................................................................................ 4

Domain Names .................................................................................................................. 4

Encryption and Decryption .................................................................................................. 5

Fully Qualiﬁed Domain Name (FQDN) ................................................................................... 5

Public Key Infrastructure ..................................................................................................... 6

Root Certiﬁcate .................................................................................................................. 6

Secure Sockets Layer (SSL) .................................................................................................. 6

Secure HTTPS .................................................................................................................... 6

SSL Server Certiﬁcates ........................................................................................................ 6

Symmetric Key Cryptography .............................................................................................. 6

Transport Layer Security (TLS) ............................................................................................. 6

Trust ................................................................................................................................. 6

ACM Certiﬁcate Characteristics ..................................................................................................... 7

Supported Regions ..................................................................................................................... 8

Integrated Services ..................................................................................................................... 9

Site Seals and Trust Logos ........................................................................................................ 10

Limits ..................................................................................................................................... 10

Number of ACM Certiﬁcates per Year (Last 365 Days) ............................................................ 11

Number of Domain Names per ACM Certiﬁcate .................................................................... 11

Number of Private CAs and Certiﬁcates ............................................................................... 11

Best Practices .......................................................................................................................... 11

AWS CloudFormation ........................................................................................................ 12

Certiﬁcate Pinning ............................................................................................................ 12

Domain Validation ............................................................................................................ 12

Adding or Deleting Domain Names ..................................................................................... 13

Opting Out of Certiﬁcate Transparency Logging ................................................................... 13

Turn on AWS CloudTrail .................................................................................................... 14

Pricing .................................................................................................................................... 14

Setting Up ....................................................................................................................................... 15

Set Up AWS and IAM ................................................................................................................ 15

Sign Up for AWS .............................................................................................................. 15

Create an IAM User .......................................................................................................... 15

Register a Domain Name ........................................................................................................... 16

Set Up Your Site or App ............................................................................................................ 16

Linux Quickstart ............................................................................................................... 17

Windows Quickstart .......................................................................................................... 17

(Optional) Conﬁgure Email ........................................................................................................ 17

WHOIS Database .............................................................................................................. 17

MX Record ....................................................................................................................... 17

(Optional) Conﬁgure CAA .......................................................................................................... 18

Getting Started ................................................................................................................................ 20

Request a Public Certiﬁcate ....................................................................................................... 20

Requesting a public certiﬁcate using the console .................................................................. 20

Requesting a public certiﬁcate using the CLI ........................................................................ 21

Request a Private Certiﬁcate ...................................................................................................... 22

Requesting a private certiﬁcate using the console ................................................................. 22

Requesting a private certiﬁcate using the CLI ....................................................................... 23

Version 1.0

iii

AWS Certiﬁcate Manager User Guide

Export a Private Certiﬁcate ........................................................................................................ 23

Exporting a private certiﬁcate using the console .................................................................. 24

Exporting a private certiﬁcate using the CLI ......................................................................... 24

Validate with DNS .................................................................................................................... 25

Adding a CNAME to Your Database ..................................................................................... 28

Deleting a CNAME from Your Database ............................................................................... 28

Validate with Email .................................................................................................................. 28

List Certiﬁcates ........................................................................................................................ 32

List Certiﬁcates (Console) .................................................................................................. 32

List Certiﬁcates (CLI) ......................................................................................................... 33

Describe Certiﬁcates ................................................................................................................. 34

Describe Certiﬁcates (Console) ........................................................................................... 34

Describe Certiﬁcates (CLI) .................................................................................................. 34

Delete Certiﬁcates .................................................................................................................... 36

Delete Certiﬁcates (Console) .............................................................................................. 36

Delete Certiﬁcates (CLI) ..................................................................................................... 36

Install ACM Certiﬁcates ............................................................................................................. 36

Resend Email (Optional) ............................................................................................................ 36

Resend Email (Console) ..................................................................................................... 37

Resend Email (CLI) ............................................................................................................ 37

Managed Renewal ............................................................................................................................ 38

Domain Validation .................................................................................................................... 38

How Automatic Domain Validation Works ........................................................................... 38

When Automatic Validation Fails ........................................................................................ 39

Check Renewal Status ............................................................................................................... 40

Check the status (console) ................................................................................................. 41

Check the status (API) ....................................................................................................... 41

Check the status (CLI) ....................................................................................................... 41

Check the status (PHD) ..................................................................................................... 41

Request Email (Optional) ........................................................................................................... 42

Importing Certiﬁcates ....................................................................................................................... 44

Prerequisites ............................................................................................................................ 44

Certiﬁcate Format .................................................................................................................... 45

Import a Certiﬁcate .................................................................................................................. 46

Import Using the Console .................................................................................................. 46

Import Using the AWS CLI ................................................................................................. 47

Reimport a Certiﬁcate ............................................................................................................... 47

Reimporting Using the Console .......................................................................................... 48

Reimporting Using the AWS CLI ......................................................................................... 48

Tagging ACM Certiﬁcates .................................................................................................................. 49

Tag Restrictions ........................................................................................................................ 49

Managing Tags ......................................................................................................................... 49

Managing Tags (Console) ................................................................................................... 50

Managing Tags (AWS Command Line Interface) .................................................................... 51

Managing Tags (AWS Certiﬁcate Manager API) ..................................................................... 51

Authentication and Access Control ..................................................................................................... 52

Authentication ......................................................................................................................... 52

Access Control ......................................................................................................................... 53

Overview of Managing Access .................................................................................................... 53

ACM Resources and Operations .......................................................................................... 54

Understanding Resource Ownership .................................................................................... 54

Managing Access to ACM Certiﬁcates .................................................................................. 54

AWS–Managed Policies .............................................................................................................. 55

AWSCertiﬁcateManagerReadOnly ....................................................................................... 55

AWSCertiﬁcateManagerFullAccess ....................................................................................... 55

Customer Managed Policies ....................................................................................................... 56

Inline Policies ........................................................................................................................... 56

Version 1.0

AWS Certiﬁcate Manager User Guide

Listing Certiﬁcates ............................................................................................................ 56

Retrieving a Certiﬁcate ...................................................................................................... 56

Importing a Certiﬁcate ...................................................................................................... 57

Deleting a Certiﬁcate ........................................................................................................ 57

Read-Only Access to ACM .................................................................................................. 57

Full Access to ACM ........................................................................................................... 58

Administrator Access to All AWS Resources .......................................................................... 58

ACM API Permissions Reference ................................................................................................. 58

Using AWS CloudTrail ....................................................................................................................... 60

Logging ACM API Calls .............................................................................................................. 60

ACM Information in CloudTrail ........................................................................................... 60

Example: ACM Log File Entries ........................................................................................... 61

Logging ACM-Related API Calls .................................................................................................. 69

Creating a Load Balancer .................................................................................................. 70

Registering Amazon EC2 ................................................................................................... 70

Encrypting a Private Key ................................................................................................... 71

Decrypting a Private Key ................................................................................................... 72

Using the ACM API ........................................................................................................................... 74

AddTagsToCertiﬁcate ................................................................................................................ 74

DeleteCertiﬁcate ...................................................................................................................... 76

DescribeCertiﬁcate .................................................................................................................... 77

ExportCertiﬁcate ...................................................................................................................... 79

GetCertiﬁcate ........................................................................................................................... 81

ImportCertiﬁcate ...................................................................................................................... 83

ListCertiﬁcates ......................................................................................................................... 85

ListTagsForCertiﬁcate ................................................................................................................ 86

RemoveTagsFromCertiﬁcate ....................................................................................................... 88

RequestCertiﬁcate .................................................................................................................... 89

ResendValidationEmail .............................................................................................................. 91

ACM Private Key Security .................................................................................................................. 93

Troubleshooting ............................................................................................................................... 94

CAA Records ............................................................................................................................ 94

Email ...................................................................................................................................... 94

Not Receiving Validation Email ........................................................................................... 95

Email Sent to Subdomain .................................................................................................. 96

Hidden Contact Information .............................................................................................. 96

Certiﬁcate Renewals ......................................................................................................... 97

WHOIS Throttling ............................................................................................................. 97

Certiﬁcate Importing ................................................................................................................ 97

Certiﬁcate Pinning .................................................................................................................... 97

Certiﬁcate Requests .................................................................................................................. 98

Certiﬁcate Request Timed Out ........................................................................................... 98

Certiﬁcate Request Failed .................................................................................................. 98

Certiﬁcate Renewal ................................................................................................................... 99

Automatic Domain Validation ........................................................................................... 100

Asynchronous Process ..................................................................................................... 100

Certiﬁcate Validation .............................................................................................................. 100

Validation Not Complete ................................................................................................. 100

.IO Domains ........................................................................................................................... 101

API Gateway .......................................................................................................................... 101

Document History .......................................................................................................................... 102

Version 1.0

AWS Certiﬁcate Manager User Guide

Concepts

What Is AWS Certiﬁcate Manager?

Welcome to the AWS Certiﬁcate Manager (ACM) service. ACM handles the complexity of creating and

managing public SSL/TLS certiﬁcates for your AWS based websites and applications. You can use

public certiﬁcates provided by ACM (p. 20) (ACM certiﬁcates) or certiﬁcates that you import into

ACM (p. 44). ACM certiﬁcates can secure multiple domain names and multiple names within a domain.

You can also use ACM to create wildcard SSL certiﬁcates that can protect an unlimited number of

subdomains.

ACM is tightly linked with AWS Certiﬁcate Manager Private Certiﬁcate Authority. You can use ACM PCA to

create a private certiﬁcate authority (CA) and then use ACM to issue private certiﬁcates. These are SSL/

TLS X.509 certiﬁcates that identify users, computers, applications, services, servers, and other devices

internally. Private certiﬁcates cannot be publicly trusted. For more information about ACM PCA, see the

AWS Certiﬁcate Manager Private Certiﬁcate Authority User Guide. Private certiﬁcates issued by using

ACM are much like public ACM certiﬁcates. They have similar beneﬁts and restrictions. The beneﬁts

include managing the private keys associated with the certiﬁcate, renewing certiﬁcates, and enabling you

to use the console to deploy your private certiﬁcate with integrated services. For more information about

the restrictions associated with using ACM, see Request a Private Certiﬁcate (p. 22). You can also use

ACM to export a private certiﬁcate and encrypted private key to use anywhere. For more information,

see Export a Private Certiﬁcate (p. 23). For information about the beneﬁts of using ACM PCA as a

standalone service to issue private certiﬁcates, see the introduction in the ACM PCA User Guide.

Note

You cannot install public ACM certiﬁcates directly on your website or application. You must

install your certiﬁcate by using one of the services integrated with ACM and ACM PCA.

For more information about these services, see Services Integrated with AWS Certiﬁcate

Manager (p. 9).

Topics

•Concepts (p. 1)

•ACM Certiﬁcate Characteristics (p. 7)

•Supported Regions (p. 8)

•Services Integrated with AWS Certiﬁcate Manager (p. 9)

•Site Seals and Trust Logos (p. 10)

•Limits (p. 10)

•Best Practices (p. 11)

•Pricing for AWS Certiﬁcate Manager (p. 14)

Concepts

This section introduces basic terms and concepts related to AWS Certiﬁcate Manager (ACM).

Topics

•ACM Certiﬁcate (p. 2)

•Apex Domain (p. 3)

•Asymmetric Key Cryptography (p. 3)

•Certiﬁcate Authority (p. 3)

•Certiﬁcate Transparency Logging (p. 4)

•Domain Name System (p. 4)

•Domain Names (p. 4)

Version 1.0

AWS Certiﬁcate Manager User Guide

ACM Certiﬁcate

•Encryption and Decryption (p. 5)

•Fully Qualiﬁed Domain Name (FQDN) (p. 5)

•Public Key Infrastructure (p. 6)

•Root Certiﬁcate (p. 6)

•Secure Sockets Layer (SSL) (p. 6)

•Secure HTTPS (p. 6)

•SSL Server Certiﬁcates (p. 6)

•Symmetric Key Cryptography (p. 6)

•Transport Layer Security (TLS) (p. 6)

•Trust (p. 6)

ACM Certiﬁcate

ACM generates X.509 version 3 certiﬁcates. Each is valid for 13 months and contains the following

extensions.

•Basic Constraints- speciﬁes whether the subject of the certiﬁcate is a certiﬁcation authority (CA)

•Authority Key Identiﬁer- enables identiﬁcation of the public key corresponding to the private key

used to sign the certiﬁcate.

•Subject Key Identiﬁer- enables identiﬁcation of certiﬁcates that contain a particular public key.

•Key Usage- deﬁnes the purpose of the public key embedded in the certiﬁcate.

•Extended Key Usage- speciﬁes one or more purposes for which the public key may be used in addition

to the purposes speciﬁed by the Key Usage extension.

•CRL Distribution Points- speciﬁes where CRL information can be obtained.

Certificate:

Data:

Version: 3 (0x2)

Serial Number:

f2:16:ad:85:d8:42:d1:8a:3f:33:fa:cc:c8:50:a8:9e

Signature Algorithm: sha256WithRSAEncryption

Issuer: O=Example CA

Validity

Not Before: Jan 30 18:46:53 2018 GMT

Not After : Jan 31 19:46:53 2018 GMT

Subject: C=US, ST=VA, L=Herndon, O=Amazon, OU=AWS, CN=example.com

Subject Public Key Info:

Public Key Algorithm: rsaEncryption

Public-Key: (2048 bit)

Modulus:

00:ba:a6:8a:aa:91:0b:63:e8:08:de:ca:e7:59:a4:

69:4c:e9:ea:26:04:d5:31:54:f5:ec:cb:4e:af:27:

e3:94:0f:a6:85:41:6b:8e:a3:c1:c8:c0:3f:1c:ac:

a2:ca:0a:b2:dd:7f:c0:57:53:0b:9f:b4:70:78:d5:

43:20:ef:2c:07:5a:e4:1f:d1:25:24:4a:81:ab:d5:

08:26:73:f8:a6:d7:22:c2:4f:4f:86:72:0e:11:95:

03:96:6d:d5:3f:ff:18:a6:0b:36:c5:4f:78:bc:51:

b5:b6:36:86:7c:36:65:6f:2e:82:73:1f:c7:95:85:

a4:77:96:3f:c0:96:e2:02:94:64:f0:3a:df:e0:76:

05:c4:56:a2:44:72:6f:8a:8a:a1:f3:ee:34:47:14:

bc:32:f7:50:6a:e9:42:f5:f4:1c:9a:7a:74:1d:e5:

68:09:75:19:4b:ac:c6:33:90:97:8c:0d:d1:eb:8a:

02:f3:3e:01:83:8d:16:f6:40:39:21:be:1a:72:d8:

5a:15:68:75:42:3e:f0:0d:54:16:ed:9a:8f:94:ec:

59:25:e0:37:8e:af:6a:6d:99:0a:8d:7d:78:0f:ea:

Version 1.0

AWS Certiﬁcate Manager User Guide

Apex Domain

40:6d:3a:55:36:8e:60:5b:d6:0d:b4:06:a3:ac:ab:

e2:bf:c9:b7:fe:22:9e:2a:f6:f3:42:bb:94:3e:b7:

08:73

Exponent: 65537 (0x10001)

X509v3 extensions:

X509v3 Basic Constraints:

CA:FALSE

X509v3 Authority Key Identifier:

keyid:84:8C:AC:03:A2:38:D9:B6:81:7C:DF:F1:95:C3:28:31:D5:F7:88:42

X509v3 Subject Key Identifier:

97:06:15:F1:EA:EC:07:83:4C:19:A9:2F:AF:BA:BB:FC:B2:3B:55:D8

X509v3 Key Usage: critical

Digital Signature, Key Encipherment

X509v3 Extended Key Usage:

TLS Web Server Authentication, TLS Web Client Authentication

X509v3 CRL Distribution Points:

Full Name:

URI:http://example.com/crl

Signature Algorithm: sha256WithRSAEncryption

69:03:15:0c:fb:a9:39:a3:30:63:b2:d4:fb:cc:8f:48:a3:46:

69:60:a7:33:4a:f4:74:88:c6:b6:b6:b8:ab:32:c2:a0:98:c6:

8d:f0:8f:b5:df:78:a1:5b:02:18:72:65:bb:53:af:2f:3a:43:

76:3c:9d:d4:35:a2:e2:1f:29:11:67:80:29:b9:fe:c9:42:52:

cb:6d:cd:d0:e2:2f:16:26:19:cd:f7:26:c5:dc:81:40:3b:e3:

d1:b0:7e:ba:80:99:9a:5f:dd:92:b0:bb:0c:32:dd:68:69:08:

e9:3c:41:2f:15:a7:53:78:4d:33:45:17:3e:f2:f1:45:6b:e7:

17:d4:80:41:15:75:ed:c3:d4:b5:e3:48:8d:b5:0d:86:d4:7d:

94:27:62:84:d8:98:6f:90:1e:9c:e0:0b:fa:94:cc:9c:ee:3a:

8a:6e:6a:9d:ad:b8:76:7b:9a:5f:d1:a5:4f:d0:b7:07:f8:1c:

03:e5:3a:90:8c:bc:76:c9:96:f0:4a:31:65:60:d8:10:fc:36:

44:8a:c1:fb:9c:33:75:fe:a6:08:d3:89:81:b0:6f:c3:04:0b:

a3:04:a1:d1:1c:46:57:41:08:40:b1:38:f9:57:62:97:10:42:

8e:f3:a7:a8:77:26:71:74:c2:0a:5b:9e:cc:d5:2c:c5:27:c3:

12:b9:35:d5

Apex Domain

See Domain Names (p. 4).

Asymmetric Key Cryptography

Unlike Symmetric Key Cryptography (p. 6), asymmetric cryptography uses diﬀerent but

mathematically related keys to encrypt and decrypt content. One of the keys is public and is typically

made available in an X.509 v3 certiﬁcate. The other key is private and is stored securely. The X.509

certiﬁcate binds the identity of a user, computer, or other resource (the certiﬁcate subject) to the public

key.

ACM Certiﬁcates are X.509 SSL/TLS certiﬁcates that bind the identity of your website and the details of

your organization to the public key that is contained in the certiﬁcate. ACM stores the associated private

key in a hardware security module (HSM).

Certiﬁcate Authority

A certiﬁcate authority (CA) is an entity that issues digital certiﬁcates. Commercially, the most common

type of digital certiﬁcate is based on the ISO X.509 standard. The CA issues signed digital certiﬁcates

that aﬃrm the identity of the certiﬁcate subject and bind that identity to the public key contained in the

certiﬁcate. A CA also typically manages certiﬁcate revocation.

Version 1.0

AWS Certiﬁcate Manager User Guide

Certiﬁcate Transparency Logging

To guard against SSL/TLS certiﬁcates that are issued by mistake or by a compromised CA, some browsers

require that public certiﬁcates issued for your domain be recorded in a certiﬁcate transparency log. The

domain name is recorded. The private key is not. Certiﬁcates that are not logged typically generate an

error in the browser.

You can monitor the logs to make sure that only certiﬁcates you have authorized have been issued for

your domain. You can use a service such as Certiﬁcate Search to check the logs.

Before the Amazon CA issues a publicly trusted SSL/TLS certiﬁcate for your domain, it submits the

certiﬁcate to at least two certiﬁcate transparency log servers. These servers add the certiﬁcate to

their public databases and return a signed certiﬁcate timestamp (SCT) to the Amazon CA. The CA then

embeds the SCT in the certiﬁcate, signs the certiﬁcate, and issues it to you. The timestamps are included

with other X.509 extensions.

X509v3 extensions:

CT Precertificate SCTs:

Signed Certificate Timestamp:

Version : v1(0)

Log ID : BB:D9:DF:...8E:1E:D1:85

Timestamp : Apr 24 23:43:15.598 2018 GMT

Extensions: none

Signature : ecdsa-with-SHA256

30:45:02:...18:CB:79:2F

Signed Certificate Timestamp:

Version : v1(0)

Log ID : 87:75:BF:...A0:83:0F

Timestamp : Apr 24 23:43:15.565 2018 GMT

Extensions: none

Signature : ecdsa-with-SHA256

30:45:02:...29:8F:6C

Certiﬁcate transparency logging is automatic when you request or renew a certiﬁcate unless you

choose to opt out. For more information about opt out, see Opting Out of Certiﬁcate Transparency

Logging (p. 13).

Domain Name System

The Domain Name System (DNS) is a hierarchical distributed naming system for computers and other

resources connected to the internet or a private network. DNS is primarily used to translate textual

domain names, such as aws.amazon.com, into numerical IP (Internet Protocol) addresses of the form

111.222.333.444. The DNS database for your domain, however, contains a number of records that

can be used for other purposes. For example, with ACM you can use a CNAME record to validate that you

own or control a domain when you request a certiﬁcate. For more information, see Use DNS to Validate

Domain Ownership (p. 25).

Domain Names

A domain name is a text string such as www.example.com that can be translated by the Domain Name

System (DNS) into an IP address. Computer networks, including the internet, use IP addresses rather than

text names. A domain name consists of distinct labels separated by periods:

TLD

Version 1.0

AWS Certiﬁcate Manager User Guide

Encryption and Decryption

The rightmost label is called the top-level domain (TLD). Common examples include .com, .net, and

.edu. Also, the TLD for entities registered in some countries is an abbreviation of the country name

and is called a country code. Examples include .uk for the United Kingdom, .ru for Russia, and .fr for

France. When country codes are used, a second-level hierarchy for the TLD is often introduced to identify

the type of the registered entity. For example, the .co.uk TLD identiﬁes commercial enterprises in the

United Kingdom.

Apex domain

The apex domain name includes and expands on the top-level domain. For domain names that include

a country code, the apex domain includes the code and the labels, if any, that identify the type of the

registered entity. The apex domain does not include subdomains (see the following paragraph). In

www.example.com, the name of the apex domain is example.com. In www.example.co.uk, the name

of the apex domain is example.co.uk. Other names that are often used instead of apex include base,

bare, root, root apex, or zone apex.

Subdomain

Subdomain names precede the apex domain name and are separated from it and from each other by a

period. The most common subdomain name is www, but any name is possible. Also, subdomain names

can have multiple levels. For example, in jake.dog.animals.example.com, the subdomains are

jake, dog, and animals in that order.

FQDN

A fully qualiﬁed domain name (FQDN) is the complete DNS name for a computer, website, or other

resource connected to a network or to the internet. For example aws.amazon.com is the FQDN

for Amazon Web Services. An FQDN includes all domains up to the top–level domain. For example,

[subdomain1].[subdomain2]...[subdomainn].[apex domain].[top–level domain]

represents the general format of an FQDN.

PQDN

A domain name that is not fully qualiﬁed is called a partially qualiﬁed domain name (PQDN) and is

ambiguous. A name such as [subdomain1.subdomain2.] is a PQDN because the root domain cannot

be determined.

Registration

The right to use a domain name is delegated by domain name registrars. Registrars are typically

accredited by the Internet Corporation for Assigned Names and Numbers (ICANN). In addition, other

organizations called registries maintain the TLD databases. When you request a domain name, the

registrar sends your information to the appropriate TLD registry. The registry assigns a domain name,

updates the TLD database, and publishes your information to WHOIS. Typically, domain names must be

purchased.

Encryption and Decryption

Encryption is the process of providing data conﬁdentiality. Decryption reverses the process and recovers

the original data. Unencrypted data is typically called plaintext whether it is text or not. Encrypted

data is typically called ciphertext. HTTPS encryption of messages between clients and servers uses

algorithms and keys. Algorithms deﬁne the step-by-step procedure by which plaintext data is converted

into ciphertext (encryption) and ciphertext is converted back into the original plaintext (decryption). Keys

are used by algorithms during the encryption or decryption process. Keys can be either private or public.

Fully Qualiﬁed Domain Name (FQDN)

See Domain Names (p. 4).

Version 1.0

AWS Certiﬁcate Manager User Guide

Public Key Infrastructure

A public key infrastructure (PKI) consists of hardware, software, people, policies, documents, and

procedures that are needed to create, issue, manage, distribute, use, store, and revoke digital certiﬁcates.

PKI facilitates the secure transfer of information across computer networks.

Root Certiﬁcate

A certiﬁcate authority (CA) typically exists within a hierarchical structure that contains multiple other CAs

with clearly deﬁned parent-child relationships between them. Child or subordinate CAs are certiﬁed by

their parent CAs, creating a certiﬁcate chain. The CA at the top of the hierarchy is referred to as the root

CA, and its certiﬁcate is called the root certiﬁcate. This certiﬁcate is typically self-signed.

Secure Sockets Layer (SSL)

Secure Sockets Layer (SSL) and Transport Layer Security (TLS) are cryptographic protocols that provide

communication security over a computer network. TLS is the successor of SSL. They both use X.509

certiﬁcates to authenticate the server. Both protocols negotiate a symmetric key between the client and

the server that is used to encrypt data ﬂowing between the two entities.

Secure HTTPS

HTTPS stands for HTTP over SSL/TLS, a secure form of HTTP that is supported by all major browsers

and servers. All HTTP requests and responses are encrypted before being sent across a network. HTTPS

combines the HTTP protocol with symmetric, asymmetric, and X.509 certiﬁcate-based cryptographic

techniques. HTTPS works by inserting a cryptographic security layer below the HTTP application layer

and above the TCP transport layer in the Open Systems Interconnection (OSI) model. The security layer

uses the Secure Sockets Layer (SSL) protocol or the Transport Layer Security (TLS) protocol.

SSL Server Certiﬁcates

HTTPS transactions require server certiﬁcates to authenticate a server. A server certiﬁcate is an X.509

v3 data structure that binds the public key in the certiﬁcate to the subject of the certiﬁcate. An SSL/

TLS certiﬁcate is signed by a certiﬁcate authority (CA) and contains the name of the server, the validity

period, the public key, the signature algorithm, and more.

Symmetric Key Cryptography

Symmetric key cryptography uses the same key to both encrypt and decrypt digital data. See also

Asymmetric Key Cryptography (p. 3).

Transport Layer Security (TLS)

See Secure Sockets Layer (SSL) (p. 6).

Trust

In order for a web browser to trust the identity of a website, the browser must be able to verify the

website's certiﬁcate. Browsers, however, trust only a small number of certiﬁcates known as CA root

certiﬁcates. A trusted third party, known as a certiﬁcate authority (CA), validates the identity of the

website and issues a signed digital certiﬁcate to the website's operator. The browser can then check the

Version 1.0

AWS Certiﬁcate Manager User Guide

ACM Certiﬁcate Characteristics

digital signature to validate the identity of the website. If validation is successful, the browser displays a

lock icon in the address bar.

ACM Certiﬁcate Characteristics

Certiﬁcates provided by ACM have the characteristics described in this section.

Note

These characteristics apply only to certiﬁcates provided by ACM. They might not apply to

certiﬁcates that you import into ACM (p. 44).

Domain Validation (DV)

ACM Certiﬁcates are domain validated. That is, the subject ﬁeld of an ACM Certiﬁcate identiﬁes a

domain name and nothing more. When you request an ACM Certiﬁcate, you must validate that you

own or control all of the domains that you specify in your request. You can validate ownership by

using email or DNS. For more information, see Use Email to Validate Domain Ownership (p. 28)

and Use DNS to Validate Domain Ownership (p. 25).

Validity Period

The validity period for ACM Certiﬁcates is currently 13 months.

Managed Renewal and Deployment

ACM manages the process of renewing ACM Certiﬁcates and provisioning the certiﬁcates after

they are renewed. Automatic renewal can help you avoid downtime due to incorrectly conﬁgured,

revoked, or expired certiﬁcates. For more information, see Managed Renewal for ACM's Amazon-

Issued Certiﬁcates (p. 38).

Browser and Application Trust

ACM Certiﬁcates are trusted by all major browsers including Google Chrome, Microsoft Internet

Explorer and Microsoft Edge, Mozilla Firefox, and Apple Safari. Browsers that trust ACM Certiﬁcates

display a lock icon in their status bar or address bar when connected by SSL/TLS to sites that use

ACM Certiﬁcates. ACM Certiﬁcates are also trusted by Java.

Multiple Domain Names

Each ACM Certiﬁcate must include at least one fully qualiﬁed domain name (FQDN), and you can

add additional names if you want. For example, when you are creating an ACM Certiﬁcate for

www.example.com, you can also add the name www.example.net if customers can reach your

site by using either name. This is also true of bare domains (also known as the zone apex or naked

domains). That is, you can request an ACM Certiﬁcate for www.example.com and add the name

example.com. For more information, see Request a Public Certiﬁcate (p. 20).

Wildcard Names

ACM allows you to use an asterisk (*) in the domain name to create an ACM Certiﬁcate containing

a wildcard name that can protect several sites in the same domain. For example, *.example.com

protects www.example.com and images.example.com.

Note

When you request a wildcard certiﬁcate, the asterisk (*) must be in the leftmost

position of the domain name and can protect only one subdomain level. For example,

*.example.com can protect login.example.com and test.example.com, but it

cannot protect test.login.example.com. Also note that *.example.com protects

only the subdomains of example.com, it does not protect the bare or apex domain

(example.com). However, you can request a certiﬁcate that protects a bare or apex domain

and its subdomains by specifying multiple domain names in your request. For example, you

can request a certiﬁcate that protects example.com and *.example.com.

Version 1.0

AWS Certiﬁcate Manager User Guide

Supported Regions

Algorithms

A certiﬁcate must specify an algorithm and key size. Currently, the following public key algorithms

are supported by ACM:

• 1024-bit RSA (RSA_1024)

• 2048-bit RSA (RSA_2048)

• 4096-bit RSA (RSA_4096)

• Elliptic Prime Curve 256 bit (EC_prime256v1)

• Elliptic Prime Curve 384 bit (EC_secp384r1)

• Elliptic Prime Curve 521 bit (EC_secp521r1)

Important

Note that integrated services allow only algorithms and key sizes they support to be

associated with their resources. Further, their support diﬀers depending on whether the

certiﬁcate is imported into IAM or into ACM. For more information, see the documentation

for each service.

• For Elastic Load Balancing, see HTTPS Listeners for Your Application Load Balancer.

• For CloudFront, see Supported SSL/TLS Protocols and Ciphers.

Exceptions

Note the following:

• ACM does not provide extended validation (EV) certiﬁcates or organization validation (OV)

certiﬁcates.

• ACM does not provide certiﬁcates for anything other than the SSL/TLS protocols.

• You cannot use ACM Certiﬁcates for email encryption.

• ACM allows only UTF-8 encoded ASCII for domain names, including labels that contain

"xn--" (Punycode). ACM does not accept Unicode input (u-labels) for domain names.

• ACM does not currently permit you to opt out of managed certiﬁcate renewal (p. 38) for ACM

Certiﬁcates. Also, managed renewal is not available for certiﬁcates that you import into ACM.

• You cannot request certiﬁcates for Amazon-owned domain names such as those ending in

amazonaws.com, cloudfront.net, or elasticbeanstalk.com.

• You cannot download the private key for an ACM Certiﬁcate.

• You cannot directly install ACM Certiﬁcates on your Amazon Elastic Compute Cloud (Amazon EC2)

website or application. You can, however, use your certiﬁcate with any integrated service. For more

information, see Services Integrated with AWS Certiﬁcate Manager (p. 9).

Supported Regions

Visit AWS Regions and Endpoints in the AWS General Reference or the AWS Region Table to see the

regional availability for ACM.

Like most AWS resources, certiﬁcates in ACM are regional resources. To use a certiﬁcate with Elastic

Load Balancing for the same fully qualiﬁed domain name (FQDN) or set of FQDNs in more than one

AWS region, you must request or import a certiﬁcate for each region. For certiﬁcates provided by ACM,

this means you must revalidate each domain name in the certiﬁcate for each region. You cannot copy a

certiﬁcate between regions.

To use an ACM Certiﬁcate with Amazon CloudFront, you must request or import the certiﬁcate in the US

East (N. Virginia) region. ACM Certiﬁcates in this region that are associated with a CloudFront distribution

are distributed to all the geographic locations conﬁgured for that distribution.

Version 1.0

AWS Certiﬁcate Manager User Guide

Integrated Services

Services Integrated with AWS Certiﬁcate Manager

AWS Certiﬁcate Manager supports a growing number of AWS services. You cannot install your ACM

certiﬁcate or your private ACM PCA certiﬁcate directly on your AWS based website or application. You

must use one of the following services.

Elastic Load Balancing

Elastic Load Balancing automatically distributes your incoming application traﬃc across multiple

Amazon EC2 instances. It detects unhealthy instances and reroutes traﬃc to healthy instances until

the unhealthy instances have been restored. Elastic Load Balancing automatically scales its request

handling capacity in response to incoming traﬃc. For more information about load balancing, see

the Elastic Load Balancing User Guide.

In general, to serve secure content over SSL/TLS, load balancers require that SSL/TLS certiﬁcates be

installed on either the load balancer or the backend Amazon EC2 instance. ACM is integrated with

Elastic Load Balancing to deploy ACM certiﬁcates on the load balancer. For more information, see

Create an Application Load Balancer.

Amazon CloudFront

Amazon CloudFront is a web service that speeds up distribution of your dynamic and static web

content to end users by delivering your content from a worldwide network of edge locations.

When an end user requests content that you're serving through CloudFront, the user is routed to

the edge location that provides the lowest latency. This ensures that content is delivered with the

best possible performance. If the content is currently at that edge location, CloudFront delivers it

immediately. If the content is not currently at that edge location, CloudFront retrieves it from the

Amazon S3 bucket or web server that you have identiﬁed as the deﬁnitive content source. For more

information about CloudFront, see the Amazon CloudFront Developer Guide.

To serve secure content over SSL/TLS, CloudFront requires that SSL/TLS certiﬁcates be installed

on either the CloudFront distribution or on the backend content source. ACM is integrated with

CloudFront to deploy ACM certiﬁcates on the CloudFront distribution. For more information, see

Getting an SSL/TLS Certiﬁcate.

Note

To use an ACM certiﬁcate with CloudFront, you must request or import the certiﬁcate in the

US East (N. Virginia) region.

AWS Elastic Beanstalk

Elastic Beanstalk helps you deploy and manage applications in the AWS Cloud without worrying

about the infrastructure that runs those applications. AWS Elastic Beanstalk reduces management

complexity. You simply upload your application and Elastic Beanstalk automatically handles the

details of capacity provisioning, load balancing, scaling, and health monitoring. Elastic Beanstalk

uses the Elastic Load Balancing service to create a load balancer. For more information about Elastic

Beanstalk, see the AWS Elastic Beanstalk Developer Guide.

To choose a certiﬁcate, you must conﬁgure the load balancer for your application in the Elastic

Beanstalk console. For more information, see Conﬁguring Your Elastic Beanstalk Environment's Load

Balancer to Terminate HTTPS.

Amazon API Gateway

With the proliferation of mobile devices and growth of the Internet of Things (IoT), it has become

increasingly common to create APIs that can be used to access data and interact with back-end

systems on AWS. You can use API Gateway to publish, maintain, monitor, and secure your APIs. After

you deploy your API to API Gateway, you can set up a custom domain name to simplify access to

it. To set up a custom domain name, you must provide an SSL/TLS certiﬁcate. You can use ACM to

generate or import the certiﬁcate.

Version 1.0

AWS Certiﬁcate Manager User Guide

Site Seals and Trust Logos

AWS CloudFormation

AWS CloudFormation helps you model and set up your Amazon Web Services resources. You

create a template that describes the AWS resources that you want to use, such as Elastic Load

Balancing or API Gateway. Then AWS CloudFormation takes care of provisioning and conﬁguring

those resources for you. You don't need to individually create and conﬁgure AWS resources and

ﬁgure out what's dependent on what; AWS CloudFormation handles all of that. ACM certiﬁcates

are included as a template resource, which means that AWS CloudFormation can request ACM

certiﬁcates that you can use with AWS services to enable secure connections. For more information,

see AWS::CertiﬁcateManager::Certiﬁcate. In addition, ACM certiﬁcates are included with many of the

AWS resources that you can set up with AWS CloudFormation.

Note

If you create an ACM certiﬁcate with AWS CloudFormation, the AWS CloudFormation stack

remains in the CREATE_IN_PROGRESS state. Any further stack operations are delayed until

you act upon the instructions in the certiﬁcate validation email. For more information, see

Resource Failed to Stabilize During a Create, Update, or Delete Stack Operation.

Site Seals and Trust Logos

Amazon doesn't provide a site seal or allow its trademark to be used as one:

• AWS Certiﬁcate Manager (ACM) doesn't provide a secure site seal that you can use on your website. If

you want to use a site seal, you can obtain one from a third-party vendor. We recommend choosing a

vendor that evaluates and asserts the security of your website or business practices.

• Amazon doesn't allow its trademark or logo to be used as a certiﬁcate badge, site seal, or trust logo.

Seals and badges of this type can be copied to sites that don't use the ACM service, and can be used

inappropriately to establish trust under false pretenses. To protect our customers and the reputation

of Amazon, we don't allow our trademark and logo to be used in this way.

Limits

The following AWS Certiﬁcate Manager (ACM) limits apply to each AWS region and each AWS account.

To request higher limits, create a case at the AWS Support Center. New AWS accounts might start with

limits that are lower than those that are described here.

Item Default Limit

Number of ACM Certiﬁcates 1000

Number of ACM Certiﬁcates per year (last 365

days)

Twice your account limit

Number of imported certiﬁcates 1000

Number of imported certiﬁcates per year (last 365

days)

Twice your account limit

Number of domain names per ACM Certiﬁcate 10

Number of Private CAs 10

Number of Private Certiﬁcates per CA 50,000

Version 1.0

AWS Certiﬁcate Manager User Guide

Number of ACM Certiﬁcates per Year (Last 365 Days)

Topics

•Number of ACM Certiﬁcates per Year (Last 365 Days) (p. 11)

•Number of Domain Names per ACM Certiﬁcate (p. 11)

•Number of Private CAs and Certiﬁcates (p. 11)

Number of ACM Certiﬁcates per Year (Last 365 Days)

You can request up to twice your limit of ACM Certiﬁcates every year. For example, if your limit is 25, you

can request up to 50 ACM Certiﬁcates a year. If you request 50 certiﬁcates, you must delete 25 during the

year to stay within your limit. If you need more than 25 certiﬁcates, in this example, you must contact

the AWS Support Center.

Note

Although the preceding table indicates that an account can own up to 100 ACM Certiﬁcates,

new AWS accounts might start with a lower limit.

Number of Domain Names per ACM Certiﬁcate

The default limit is 10 domain names for each ACM Certiﬁcate. Your limit may be greater. The ﬁrst

domain name that you submit is included as the subject common name (CN) of the certiﬁcate. All names

are included in the Subject Alternative Name extension.

You can request up to 100 domain names. To request an increase in your limit, create a case at the AWS

Support Center . Before creating a case, however, make sure you understand how adding more domain

names can create more administrative work for you if you use email validation. For more information,

see Domain Validation (p. 12).

Note

The limit for the number of domain names per ACM Certiﬁcate applies only to certiﬁcates that

are provided by ACM. This limit does not apply to certiﬁcates that you import into ACM. The

following sections apply only to ACM Certiﬁcates.

Number of Private CAs and Certiﬁcates

ACM is integrated with ACM PCA. You can use the ACM console, AWS CLI, or ACM API to request private

certiﬁcates from an existing private certiﬁcate authority (CA). The certiﬁcates are managed within

the ACM environment and have the same restrictions as public certiﬁcates issued by ACM. For more

information, see Request a Private Certiﬁcate (p. 22). You can also issue private certiﬁcates by using

the standalone ACM PCA service. For more information, see Issue a Private Certiﬁcate. You can create 10

private CAs and 50,000 private certiﬁcates for each.

Best Practices

Best practices are recommendations that can help you use AWS Certiﬁcate Manager (AWS Certiﬁcate

Manager) more eﬀectively. The following best practices are based on real-world experience from current

ACM customers.

Topics

•AWS CloudFormation (p. 12)

•Certiﬁcate Pinning (p. 12)

•Domain Validation (p. 12)

•Adding or Deleting Domain Names (p. 13)

Version 1.0

AWS Certiﬁcate Manager User Guide

AWS CloudFormation

•Opting Out of Certiﬁcate Transparency Logging (p. 13)

•Turn on AWS CloudTrail (p. 14)

AWS CloudFormation

With AWS CloudFormation you can create a template that describes the AWS resources that you

want to use. AWS CloudFormation then provisions and conﬁgures those resources for you. AWS

CloudFormation can provision resources that are supported by ACM such as Elastic Load Balancing,

Amazon CloudFront, and Amazon API Gateway. For more information, see Services Integrated with AWS

Certiﬁcate Manager (p. 9).

If you use AWS CloudFormation to quickly create and delete multiple test environments, we

recommend that you do not create a separate ACM Certiﬁcate for each environment. Doing so will

quickly exhaust your certiﬁcate limit. For more information, see Limits (p. 10). Instead, create a

wildcard certiﬁcate that covers all of the domain names that you are using for testing. For example,

if you repeatedly create ACM Certiﬁcates for domain names that vary by only a version number,

such as <version>.service.example.com, create instead a single wildcard certiﬁcate for

<*>.service.example.com. Include the wildcard certiﬁcate in the template that AWS CloudFormation

uses to create your test environment.

Certiﬁcate Pinning

Certiﬁcate pinning, sometimes known as SSL pinning, is a process that you can use in your application to

validate a remote host by associating that host directly with its X.509 certiﬁcate or public key instead of

with a certiﬁcate hierarchy. The application therefore uses pinning to bypass SSL/TLS certiﬁcate chain

validation. The typical SSL validation process checks signatures throughout the certiﬁcate chain from

the root certiﬁcate authority (CA) certiﬁcate through the subordinate CA certiﬁcates, if any. It also checks

the certiﬁcate for the remote host at the bottom of the hierarchy. Your application can instead pin to the

certiﬁcate for the remote host to say that only that certiﬁcate and not the root certiﬁcate or any other

in the chain is trusted. You can add the remote host's certiﬁcate or public key to your application during

development. Alternatively, the application can add the certiﬁcate or key when it ﬁrst connects to the

host.

Warning

We recommend that your application not pin an ACM Certiﬁcate. ACM performs Managed

Renewal for ACM's Amazon-Issued Certiﬁcates (p. 38) to automatically renew your Amazon-

issued SSL/TLS certiﬁcates before they expire. To renew a certiﬁcate, ACM generates a new

public-private key pair. If your application pins the ACM Certiﬁcate and the certiﬁcate is

successfully renewed with a new public key, the application might be unable to connect to your

domain.

If you decide to pin a certiﬁcate, the following options will not hinder your application from connecting

to your domain:

•Import your own certiﬁcate into ACM and then pin your application to the imported certiﬁcate. ACM

doesn't try to automatically renew imported certiﬁcates.

• Pin your application to an Amazon root certiﬁcate.

Domain Validation

Before the Amazon certiﬁcate authority (CA) can issue a certiﬁcate for your site, AWS Certiﬁcate Manager

(ACM) must verify that you own or control all the domains that you speciﬁed in your request. You can

perform veriﬁcation using either email or DNS. For more information, see Use Email to Validate Domain

Ownership (p. 25) and Use Email to Validate Domain Ownership (p. 25).

Version 1.0

AWS Certiﬁcate Manager User Guide

Adding or Deleting Domain Names

You cannot add or remove domain names from an existing ACM Certiﬁcate. Instead you must request

a new certiﬁcate with the revised list of domain names. For example, if your certiﬁcate has ﬁve domain

names and you want to add four more, you must request a new certiﬁcate with all nine domain names.

As with any new certiﬁcate, you must validate ownership of all the domain names in the request,

including the names that you previously validated for the original certiﬁcate.

If you use email validation, you receive up to 8 validation email messages for each domain, at least 1

of which must be acted upon within 72 hours. For example, when you request a certiﬁcate with ﬁve

domain names, you receive up to 40 validation messages, at least 5 of which must be acted upon within

72 hours. As the number of domain names in the certiﬁcate request increases, so does the work required

to use email to validate domain ownership.

If you use DNS validation instead, you must write one new DNS record to the database for the FQDN

you want to validate. ACM sends you the record to create and later queries the database to determine

whether the record has been added. Adding the record asserts that you own or control the domain. In

the preceding example, if you request a certiﬁcate with ﬁve domain names, you must create ﬁve DNS

records. We recommend that you use DNS validation when possible.

Opting Out of Certiﬁcate Transparency Logging

Important

Regardless of the actions you take to opt out of certiﬁcate transparency logging, your certiﬁcate

might still be logged by any client or individual that has access to the public or private endpoint

to which you bind the certiﬁcate. However, the certiﬁcate won't contain a signed certiﬁcate

timestamp (SCT). Only the issuing CA can embed an SCT in a certiﬁcate.

Beginning April 30 2018, Google Chrome will stop trusting public SSL/TLS certiﬁcates that are not

recorded in a certiﬁcate transparency log. Therefore, beginning April 24 2018, the Amazon CA will start

publishing all new certiﬁcates and renewals to at least two public logs. Once a certiﬁcate has been

logged, it cannot be removed. For more information, see Certiﬁcate Transparency Logging (p. 4).

Logging is performed automatically when you request a certiﬁcate or when a certiﬁcate is renewed, but

you can choose to opt out. Common reasons for doing so include concerns about security and privacy.

For example, logging internal host domain names gives potential attackers information about internal

networks that would otherwise not be public. In addition, logging could leak the names of new or

unreleased products and websites.

To opt out of transparency logging when you are requesting a certiﬁcate, use the Options parameter of

the request-certiﬁcate AWS CLI command or the RequestCertiﬁcate API.

If your certiﬁcate was issued before April 24 2018 and you want to make sure that it is not logged during

renewal, you can call the update-certificate-options command or the UpdateCertiﬁcateOptions

API to opt out.

Once a certiﬁcate has been logged, it cannot be removed from the log. Opting out at that point will

have no eﬀect. If you opt out of logging when you request a certiﬁcate and then choose later to opt

back in, your certiﬁcate will not be logged until it is renewed. If you want the certiﬁcate to be logged

immediately, we recommend that you issue a new one.

Note

You cannot currently use the console to opt out of or in to transparency logging.

The following example shows you how to use the request-certiﬁcate command to disable certiﬁcate

transparency when you request a new certiﬁcate.

aws acm request-certificate \

Version 1.0

AWS Certiﬁcate Manager User Guide

Turn on AWS CloudTrail

--domain-name www.example.com \

--validation-method DNS \

--options CertificateTransparencyLoggingPreference=DISABLED \

--idempotency-token 184627

The preceding command outputs the ARN of your new certiﬁcate.

{

"CertificateArn":

"arn:aws:acm:region:account:certificate/12345678-1234-1234-1234-123456789012"

}

If you already have a certiﬁcate, and you don't want it to be logged when it is renewed, use the update-

certiﬁcate-options command. This command does not return a value.

aws acm update-certificate-options \

--certificate-arn arn:aws:acm:region:account:\

certificate/12345678-1234-1234-1234-123456789012 \

--options CertificateTransparencyLoggingPreference=DISABLED

Turn on AWS CloudTrail

Turn on CloudTrail logging before you begin using ACM. CloudTrail enables you to monitor your AWS

deployments by retrieving a history of AWS API calls for your account, including API calls made via the

AWS Management Console, the AWS SDKs, the AWS Command Line Interface, and higher-level AWS

services. You can also identify which users and accounts called the ACM APIs, the source IP address the

calls were made from, and when the calls occurred. You can integrate CloudTrail into applications using

the API, automate trail creation for your organization, check the status of your trails, and control how

administrators turn CloudTrail logging on and oﬀ. For more information, see Creating a Trail. Go to Using

AWS CloudTrail (p. 60) to see example trails for ACM actions.

Pricing for AWS Certiﬁcate Manager

You are not charged by AWS for the SSL/TLS certiﬁcates that you manage with AWS Certiﬁcate Manager.

You pay only for the AWS resources that you create to run your website or application. For the latest ACM

pricing information, see the AWS Certiﬁcate Manager Service Pricing page on the AWS website.

Version 1.0

AWS Certiﬁcate Manager User Guide

Set Up AWS and IAM

Setting Up

With AWS Certiﬁcate Manager (ACM) you can provision and manage SSL/TLS certiﬁcates for your

AWS based websites and applications. You use ACM to create or import and then manage a certiﬁcate.

You must use other AWS services to deploy the certiﬁcate to your website or application. For more

information about the services integrated with ACM, see Services Integrated with AWS Certiﬁcate

Manager (p. 9). The following topics discuss the steps you need to perform before using ACM.

Note

In addition to using certiﬁcates provided by ACM, you can also import certiﬁcates into ACM. For

more information, see Importing Certiﬁcates (p. 44).

Topics

•Set Up AWS and IAM (p. 15)

•Register a Domain Name (p. 16)

•Set Up Your Website or Application (p. 16)

•(Optional) Conﬁgure Email for Your Domain (p. 17)

•(Optional) Conﬁgure a CAA Record (p. 18)

Set Up AWS and IAM

Before you can use ACM, you must sign up for Amazon Web Services. As a best practice, you can create

an IAM user to limit the actions your users can perform.

If you are not already an Amazon Web Services (AWS) customer, you must sign up to be able to use

ACM. Your account is automatically signed up for all available services, but you are charged for only

the services that you use. Also, if you are a new AWS customer, you can get started for free. For more

information, see AWS Free Tier.

To sign up for an AWS account

1. Go to https://aws.amazon.com/ and choose Sign Up.

2. Follow the on-screen instructions.

Note

Part of the sign-up procedure includes receiving an automated telephone call and entering the

supplied PIN on the telephone keypad. You must also supply a credit card number even if you

are signing up for the free tier.

Create an IAM User

All AWS accounts have root user credentials (that is, the credentials of the account owner). These

credentials allow full access to all resources in the account. Because you can't restrict permissions for

root user credentials, we recommend that you delete your root user access keys. Then create AWS

Identity and Access Management (IAM) user credentials for everyday interaction with AWS. For more

information, see Lock away your AWS account (root) access keys in the IAM User Guide.

Version 1.0

AWS Certiﬁcate Manager User Guide

Note

You may need AWS account root user access for speciﬁc tasks, such as changing an AWS support

plan or closing your account. In these cases, sign in to the AWS Management Console with your

email and password. See Email and Password (Root User).

For a list of tasks that require root user access, see AWS Tasks That Require AWS Account Root User.

With IAM, you can securely control access to AWS services and resources for users in your AWS account.

For example, if you require administrator-level permissions, you can create an IAM user, grant that user

full access, and then use those credentials to interact with AWS. If you need to modify or revoke your

permissions, you can delete or modify the policies that are associated with that IAM user.

If you have multiple users that require access to your AWS account, you can create unique credentials

for each user and deﬁne who has access to which resources. You don't need to share credentials. For

example, you can create IAM users with read-only access to resources in your AWS account and distribute

those credentials to your users.

ACM also provides two AWS managed policies that you can use:

•AWSCertiﬁcateManagerFullAccess

•AWSCertiﬁcateManagerReadOnly

Note

Any activity or costs that are associated with the IAM user are billed to the AWS account owner.

A fully qualiﬁed domain name (FQDN) is the unique name of an organization or individual on the

Internet followed by a top-level domain extension such as .com or .org. If you do not already have a

registered domain name, you can register one through Amazon Route53 or dozens of other commercial

registrars. Typically you go to the registrar's website and request a domain name. The registrar queries

WHOIS to determine whether the requested FQDN is available. If it is, the registrar usually lists related

names that diﬀer by domain extension and provides you an opportunity to acquire any of the available

names. Registration usually lasts for a set period of time such as one or two years before it must be

renewed.

For more information about registering domain names with Amazon Route53, see Registering Domain

Names Using Amazon Route53 in the Amazon Route53 Developer Guide.

Set Up Your Website or Application

You can install your website on an Amazon EC2 Linux or Windows instance. For more information

about Linux Amazon EC2 instances, see Amazon Elastic Compute Cloud User Guide for Linux. For more

information about Windows Amazon EC2 instances, see Amazon Elastic Compute Cloud User Guide for

Microsoft Windows.

Although you install your website on an Amazon EC2 instance, you cannot directly deploy an ACM

Certiﬁcate on that instance. You must instead deploy your certiﬁcate by using one of the services

integrated with ACM. For more information see Services Integrated with AWS Certiﬁcate Manager (p. 9).

To get your website up and running quickly on either Windows or Linux, see the following topics.

Topics

•Linux Quickstart (p. 17)

•Windows Quickstart (p. 17)

Version 1.0

AWS Certiﬁcate Manager User Guide

Linux Quickstart

To create your website or application on a Linux instance, you can choose a Linux Amazon Machine Image

(AMI) and install an Apache web server on it. For more information, see Tutorial: Installing a LAMP Web

Server on Amazon Linux in the Amazon EC2 User Guide for Linux Instances.

Windows Quickstart

To acquire a Microsoft Windows server on which you can install your website or application, choose a

Windows Server AMI that comes bundled with a Microsoft Internet Information Services (IIS) web server.

Then use the default website or create a new one. You can also install a WIMP server on your Amazon

EC2 instance. For more information, see Tutorial: Installing a WIMP Server on an Amazon EC2 Instance

Running Windows Server in the Amazon EC2 User Guide for Windows Instances.

(Optional) Conﬁgure Email for Your Domain

Note

The following steps are required only if you use email validation to assert that you own or

control the FQDN (fully qualiﬁed domain name) speciﬁed in your certiﬁcate request. ACM

requires that you validate ownership or control before it issues a certiﬁcate. You can use either

email validation or DNS validation. For more information about email validation, see Use Email

to Validate Domain Ownership (p. 28).

If you are able to edit your DNS conﬁguration, we recommend that you use DNS domain

validation rather than email validation. DNS validation removes the need to conﬁgure email for

the domain name. For more information about DNS validation, see Use DNS to Validate Domain

Ownership (p. 25).

Use your registrar's website to associate your contact addresses with your domain name. The registrar

adds the contact email addresses to the WHOIS database and adds one or more mail servers to the mail

exchanger (MX) records of a DNS server. If you choose to use email validation, ACM sends email to the

contact addresses and to ﬁve common administrative addresses formed from your MX record. ACM sends

up to eight validation email messages every time you create a new certiﬁcate, renew a certiﬁcate, or

request new validation mail. The validation email contains instructions for conﬁrming that the domain

owner or an appointed representative approves the ACM Certiﬁcate. For more information, see Use Email

to Validate Domain Ownership (p. 28). If you have trouble with validation email, see Troubleshoot

Email Problems (p. 94).

WHOIS Database

The WHOIS database contains contact information for your domain. To validate your identity, ACM sends

an email to the following three addresses in WHOIS. You must make sure that your contact information

is public or that email that is sent to an obfuscated address is forwarded to your real email address.

• Domain registrant

• Technical contact

• Administrative contact

MX Record

When you register your domain, your registrar sends your mail exchanger (MX) record to a Domain

Name System (DNS) server. An MX record indicates which servers accept mail for your domain. The

Version 1.0

AWS Certiﬁcate Manager User Guide

(Optional) Conﬁgure CAA

record contains a fully qualiﬁed domain name (FQDN). You can request a certiﬁcate for apex domains or

subdomains.

For example, if you use the console to request a certiﬁcate for abc.xyz.example.com, ACM ﬁrst tries to

ﬁnd the MX record for that subdomain. If that record cannot be found, ACM performs an MX lookup

for xyz.example.com. If that record cannot be found, ACM performs an MX lookup for example.com. If

that record cannot be found or there is no MX record, ACM chooses the original domain for which the

certiﬁcate was requested (abc.xyz.example.com in this example). ACM then sends email to the following

ﬁve common system administration addresses for the domain or subdomain:

• administrator@your_domain_name

• hostmaster@your_domain_name

• postmaster@your_domain_name

• webmaster@your_domain_name

• admin@your_domain_name

If you are using the RequestCertiﬁcate API operation or the request-certiﬁcate AWS CLI command, AWS

does not perform an MX lookup. Instead, RequestCertificate lets you specify both your domain

name and the name of a validation domain. If you specify the optional ValidationDomain parameter,

AWS sends the preceding ﬁve email messages there rather than to your domain.

ACM always sends validation email to the ﬁve common addresses listed previously whether you are

using the console, the API, or the AWS CLI. However, AWS performs an MX lookup only when you use the

console to request a certiﬁcate.

If you do not receive validation email, see Not Receiving Validation Email (p. 95) for information about

possible causes and workarounds.

(Optional) Conﬁgure a CAA Record

You can optionally conﬁgure a Certiﬁcation Authority Authorization (CAA) DNS record to specify that

AWS Certiﬁcate Manager (ACM) is allowed to issue a certiﬁcate for your domain or subdomain. After it

validates your domain, ACM checks for the presence of CAA records to make sure it can issue a certiﬁcate

for you. You can choose to not conﬁgure a CAA record for your domain or leave the record blank if you

do not want to enable CAA checking. A CAA record contains the following data ﬁelds:

ﬂags

Speciﬁes whether the value of the tag ﬁeld is supported by ACM. Set this value to 0.

tag

The tag ﬁeld can be one of the following values. Note that the iodef ﬁeld is currently ignored.

issue

Indicates that the ACM CA that you specify in the value ﬁeld is authorized to issue a certiﬁcate

for your domain or subdomain.

issuewild

Indicates that the ACM CA that you speciﬁed in the value ﬁeld is authorized to issue a wildcard

certiﬁcate for your domain or subdomain. A wildcard certiﬁcate applies to the domain or

subdomain and all of its subdomains.

value

The value of this ﬁeld depends on the value of the tag ﬁeld. You must enclose this value in

quotation marks ("").

Version 1.0

AWS Certiﬁcate Manager User Guide

(Optional) Conﬁgure CAA

When tag is issue

The value ﬁeld contains the CA domain name. This ﬁeld can contain the name of a CA other

than an Amazon CA. However, if you do not have a CAA record that speciﬁes one of the

following four Amazon CAs, ACM cannot issue a certiﬁcate to your domain or subdomain:

• amazon.com

• amazontrust.com

• awstrust.com

• amazonaws.com

The value ﬁeld can also contain a semicolon (;) to indicate that no CA should be permitted to

issue a certiﬁcate for your domain or subdomain. Use this ﬁeld if you decide at some point that

you no longer want a certiﬁcate issued for a particular domain.

When tag is issuewild

The value ﬁeld is the same as that for when tag is issue except that the value applies to

wildcard certiﬁcates.

Example CAA Record Examples

In the following examples, your domain name comes ﬁrst followed by the record type (CAA). The ﬂags

ﬁeld is always 0. The tags ﬁeld can be issue or issuewild. If the ﬁeld is issue and you type the domain

name of a CA server in the value ﬁeld, the CAA record indicates that your speciﬁed server is permitted

to issue your requested certiﬁcate. If you type a semicolon ";" in the value ﬁeld, the CAA record indicates

that no CA is permitted to issue a certiﬁcate. The conﬁguration of CAA records varies by DNS provider.

Domain Record type Flags Tag Value

example.com. CAA 0 issue "SomeCA.com"

example.com. CAA 0 issue "amazon.com"

example.com. CAA 0 issue "amazontrust.com"

example.com. CAA 0 issue "awstrust.com"

example.com. CAA 0 issue "amazonaws.com"

example.com CAA 0 issue ";"

For more information about how to add or modify DNS records, check with your DNS provider. Route53

supports CAA records. If Route53 is your DNS provider, see CAA Format for more information about

creating a record.

Version 1.0

AWS Certiﬁcate Manager User Guide

Request a Public Certiﬁcate

Getting Started

Sign into the AWS Management Console and open the ACM console at https://console.aws.amazon.com/

acm/home. If the introductory page appears, choose Get Started. Otherwise, choose Certiﬁcate

Manager or Private CAs in the left navigation pane.

ACM supports SSL/TLS certiﬁcates that can be used to enable secure communication across the internet

or over an internal network. You can request a publicly trusted certiﬁcate issued by ACM or import

a certiﬁcate. Imported certiﬁcates can be issued by a third party and publicly trusted, or they can

be self-signed. You can also use the ACM console to request that a private certiﬁcate be issued by a

private certiﬁcate authority (CA) in your organization. Private certiﬁcates are not trusted by default.

Administrators must install them in client trust stores.

This documentation primarily discusses public ACM and third party certiﬁcates. It also discusses how to

issue a private certiﬁcate using an existing private CA. To learn more about creating and using a private

CA, see AWS Certiﬁcate Manager Private Certiﬁcate Authority.

Topics

•Request a Public Certiﬁcate (p. 20)

•Request a Private Certiﬁcate (p. 22)

•Export a Private Certiﬁcate (p. 23)

•Use DNS to Validate Domain Ownership (p. 25)

•Use Email to Validate Domain Ownership (p. 28)

•List ACM–Managed Certiﬁcates (p. 32)

•Describe ACM Certiﬁcates (p. 34)

•Delete ACM–Managed Certiﬁcates (p. 36)

•Install ACM Certiﬁcates (p. 36)

•Resend Validation Email (Optional) (p. 36)

Request a Public Certiﬁcate

The following sections discuss how to use the ACM console or AWS CLI to request a public ACM

certiﬁcate. If you are having trouble requesting a certiﬁcate, see Troubleshoot Certiﬁcate Request

Problems (p. 98). If you are having trouble requesting a certiﬁcate for an .IO domain, see

Troubleshoot .IO Domain Problems (p. 101). To request a private certiﬁcate using your private

certiﬁcate authority (CA), see Request a Private Certiﬁcate (p. 22).

Topics

•Requesting a public certiﬁcate using the console (p. 20)

•Requesting a public certiﬁcate using the CLI (p. 21)

Requesting a public certiﬁcate using the console

To request an ACM public certiﬁcate (console)

1. Sign into the AWS Management Console and open the ACM console at https://

console.aws.amazon.com/acm/home.

2. On the Request a certiﬁcate page, type your domain name. You can use a fully qualiﬁed domain

name (FQDN) such as www.example.com or a bare or apex domain name such as example.com.

Version 1.0

AWS Certiﬁcate Manager User Guide

Requesting a public certiﬁcate using the CLI

You can also use an asterisk (*) as a wildcard in the leftmost position to protect several site

names in the same domain. For example, *.example.com protects corp.example.com, and

images.example.com. The wildcard name will appear in the Subject ﬁeld and the Subject

Alternative Name extension of the ACM certiﬁcate.

Note

When you request a wildcard certiﬁcate, the asterisk (*) must be in the leftmost position of

the domain name and can protect only one subdomain level. For example, *.example.com

can protect login.example.com, and test.example.com, but it cannot protect

test.login.example.com. Also note that *.example.com protects only the

subdomains of example.com, it does not protect the bare or apex domain (example.com).

To protect both, see the next step.

3. To add more domain names to the ACM certiﬁcate, choose Add more names and type another

domain name in the text box that opens. This is useful for protecting both a bare or apex domain

(like example.com) and its subdomains (*.example.com).

4. After you have typed valid domain names, choose Review and Request or choose Cancel to quit.

Important

Unless you choose to opt out, your certiﬁcate will be automatically recorded in at least

two public certiﬁcate transparency databases. You cannot currently use the console to

opt out. You must use the AWS CLI or the API. For more information, see Opting Out of

Certiﬁcate Transparency Logging (p. 13). For general information about transparency logs,

see Certiﬁcate Transparency Logging (p. 4).

5. If the review page correctly contains the information that you provided for your request, choose

Conﬁrm and request. The following page shows that your request status is pending validation.

Before ACM issues a certiﬁcate, it validates that you own or control the domain names in your

certiﬁcate request. You can use either email validation or DNS validation. If you choose email

validation, ACM sends validation email to three contact addresses registered in the WHOIS database

and to ﬁve common system administration addresses for each domain name. You or an authorized

representative must reply to one of these email messages. For more information, see Use Email to

Validate Domain Ownership (p. 28). If you use DNS validation, you simply write a CNAME record

provided by ACM to your DNS conﬁguration. For more information about DNS validation, see Use

DNS to Validate Domain Ownership (p. 25).

Note

If you are able to edit your DNS conﬁguration, we recommend that you use DNS domain

validation rather than email validation. DNS validation has multiple beneﬁts over email

validation. See Use DNS to Validate Domain Ownership (p. 25).

Requesting a public certiﬁcate using the CLI

Use the request-certiﬁcate command to request a new public ACM certiﬁcate on the command line.

aws acm request-certificate \

--domain-name www.example.com \

--validation-method DNS \

--idempotency-token 1234 \

Version 1.0

AWS Certiﬁcate Manager User Guide

Request a Private Certiﬁcate

--options CertificateTransparencyLoggingPreference=DISABLED

This command outputs the Amazon Resource Name (ARN) of your new private certiﬁcate.

{

"CertificateArn":

"arn:aws:acm:region:account:certificate/12345678-1234-1234-1234-123456789012"

}

Request a Private Certiﬁcate

The following sections discuss how to use the ACM console or the ACM PCA CLI request a private

certiﬁcate from an existing private certiﬁcate authority (CA). For more information about creating a

private CA, see Create a Private Certiﬁcate Authority.

Private certiﬁcates issued by ACM resemble public certiﬁcates issued by ACM. The certiﬁcates have the

following restrictions:

• You must use DNS subject names. For more information, see Domain Names (p. 4)

• You can use only a 2048 bit RSA private key algorithm.

• The only supported signing algorithm is SHA256WithRSAEncryption.

• Each certiﬁcate is valid for 13 months.

• The private CA must be Active, and the CA private key type must be RSA 2048 or RSA 4096.

• ACM renews the certiﬁcate automatically, if possible, after 11 months.

Private certiﬁcates issued by ACM PCA do not have the preceding restrictions. You can use your private

CA to create certiﬁcates that have any subject name, use any of the supported private key algorithms,

any signing algorithm, and any validity period. This is beneﬁcial if you must identify a subject by a

speciﬁc name or if you cannot rotate certiﬁcates easily. For more information, see Issue a Private

Certiﬁcate.

Topics

•Requesting a private certiﬁcate using the console (p. 22)

•Requesting a private certiﬁcate using the CLI (p. 23)

Requesting a private certiﬁcate using the console

1. Sign into the AWS Management Console and open the ACM console at https://

console.aws.amazon.com/acm/home.

2. Select Request a private certiﬁcate and then choose Request a certiﬁcate.

3. Select your private CA from the dropdown list. Information about the CA is ﬁlled in below the list to

help you verify that you have chosen the CA you want.

Note

The ACM console displays Ineligible for private CAs with ECDSA keys.

4. Choose Next.

5. On the Request a certiﬁcate page, type a domain name. You can use a fully qualiﬁed domain

name (FQDN) such as www.example.com or a bare or apex domain name such as example.com.

You can also use an asterisk (*) as a wildcard in the leftmost position to protect several site

Version 1.0

AWS Certiﬁcate Manager User Guide

Requesting a private certiﬁcate using the CLI

names in the same domain. For example, *.example.com protects corp.example.com, and

images.example.com. The wildcard name will appear in the Subject ﬁeld and the Subject

Alternative Name extension of the ACM certiﬁcate.

Note

When you request a wildcard certiﬁcate, the asterisk (*) must be in the leftmost position of

the domain name and can protect only one subdomain level. For example, *.example.com

can protect login.example.com, and test.example.com, but it cannot protect

test.login.example.com. Also note that *.example.com protects only the

subdomains of example.com, it does not protect the bare or apex domain (example.com).

To protect both, see the next step.

6. To add more domain names to the ACM certiﬁcate, choose Add more names and type another

domain name in the text box that opens. This is useful for protecting both a bare or apex domain

(like example.com) and its subdomains (*.example.com).

7. After you have typed valid names, choose Review and Request or choose Cancel to quit.

8. Check the review page to make sure that everything is correct and then choose Conﬁrm and

request.

Note

You do not need to validate a private certiﬁcate.

Requesting a private certiﬁcate using the CLI

Use the request-certiﬁcate command to request a private certiﬁcate in ACM.

aws acm request-certificate \

--domain-name www.example.com \

--idempotency-token 12563 \

--options CertificateTransparencyLoggingPreference=DISABLED \

--certificate-authority-arn arn:aws:acm-pca:region:account:\

certificate-authority/12345678-1`234-1234-1234-123456789012

This command outputs the Amazon Resource Name (ARN) of your new private certiﬁcate.

{

"CertificateArn":

"arn:aws:acm:region:account:certificate/12345678-1234-1234-1234-123456789012"

}

Export a Private Certiﬁcate

You can export a private certiﬁcate for use anywhere. You can export the certiﬁcate, the certiﬁcate chain,

and the encrypted private key. You must store the private key securely. The key is related to the public

key that is embedded in the certiﬁcate.

The private key is a 2048 bit RSA key. You can use the following OpenSSL command to decrypt it.

Provide the passphrase when prompted.

openssl rsa -in encrypted_key.pem -out decrypted_key.pem

Topics

•Exporting a private certiﬁcate using the console (p. 24)

Version 1.0

AWS Certiﬁcate Manager User Guide

Exporting a private certiﬁcate using the console

•Exporting a private certiﬁcate using the CLI (p. 24)

Exporting a private certiﬁcate using the console

1. Sign into the AWS Management Console and open the ACM console at https://

console.aws.amazon.com/acm/home.

2. Choose Certiﬁcate Manager

3. Select the certiﬁcate that you want to export.

4. On the Actions menu, choose Export (private certiﬁcates only).

5. Enter and conﬁrm a passphrase for the private key.

6. Choose Generate PEM Encoding.

7. You can copy the certiﬁcate, certiﬁcate chain, and encrypted key to memory or choose Export to a

ﬁle for each.

8. Choose Done.

Exporting a private certiﬁcate using the CLI

Use the export-certiﬁcate command to export a private certiﬁcate and private key. For added security,

store your passphrase securely in a ﬁle before using this command. This prevents your passphrase from

being stored in command history and prevents others from seeing the passphrase as you type it in.

aws acm export-certificate --certificate-arn \

arn:aws:acm:region:account:\

certificate/12345678-1234-1234-1234-123456789012 \

--passphrase --file://path-to-passphrase-file

This command outputs the base64-encoded, PEM format certiﬁcate, the certiﬁcate chain, and private

key. The private key is output in PKCS #8 syntax.

{

"PrivateKey":

"-----BEGIN ENCRYPTED PRIVATE KEY-----

...PKCS8 Base64-encoded encrypted private key ...

-----END ENCRYPTED PRIVATE KEY-----",

"CertificateChain":

"-----BEGIN CERTIFICATE-----

...Base64-encoded certificate...

-----END CERTIFICATE-----

-----BEGIN CERTIFICATE-----

...Base64-encoded private key...

-----END CERTIFICATE-----",

"Certificate":

"-----BEGIN CERTIFICATE-----

...Base64-encoded certificate...

-----END CERTIFICATE-----"

}

To output everything to a ﬁle, use the > redirector as shown in the following example.

aws acm export-certificate --certificate-arn \

arn:aws:acm:region:account:\

certificate/12345678-1234-1234-1234-123456789012 \

--passphrase file://path-to-passphrase-file\

> c:\temp\export.txt

Version 1.0

AWS Certiﬁcate Manager User Guide

Validate with DNS

Use DNS to Validate Domain Ownership

Before the Amazon certiﬁcate authority (CA) can issue a certiﬁcate for your site, AWS Certiﬁcate Manager

(ACM) must verify that you own or control all of the domain names that you speciﬁed in your request.

You can choose either email validation or DNS validation when you request a certiﬁcate. This topic

discusses DNS validation. For information about email validation, see Use Email to Validate Domain

Ownership (p. 28).

Note

Validation applies only to certiﬁcates provided by AWS Certiﬁcate Manager (ACM). ACM does not

validate domain ownership for imported certiﬁcates (p. 44).

The Domain Name System (DNS) is a directory service for resources connected to a network. On the

internet, DNS servers are used primarily to translate from domain names to the numerical IP addresses

that identify and locate resources such as computers and other devices. The databases on DNS servers

contain domain records that are used for this translation and to enable other functionality. For example,

A records are a type of DNS record used to map domain names to IPV4 addresses. MX records are used to

route email. NS records list all of the name servers for the domain.

ACM uses CNAME (Canonical Name) records to validate that you own or control a domain. When you

choose DNS validation, ACM provides you one or more CNAME records to insert into your DNS database.

For example, if you request a certiﬁcate for the example.com domain with www.example.com as an

additional name, ACM creates two CNAME records for you. Each record, created speciﬁcally for your

domain and your account, contains a name and a value. The value is an alias that points to a domain

that ACM owns and which ACM uses to automatically renew your certiﬁcate. You add the CNAME records

to your DNS database only once. ACM automatically renews your certiﬁcate as long as the certiﬁcate is

in use and your CNAME record remains in place. In addition, if you use Amazon Route53 to create your

domain, ACM can write the CNAME records for you.

The following table shows example CNAME records for ﬁve domain names.

The _x values are long random strings generated by ACM. For example

_3639ac514e785e898d2646601fa951d5.example.com is representative of a generated name. Note

that the ﬁrst two _x values in the table are the same. That is, the random string created by ACM for the

wildcard name *.example.com is the same as that created for the base domain name example.com.

Note also that ACM creates diﬀerent CNAME records for example.com and www.example.com.

Domain name DNS zone Name Type Value

*.example.com example.com _x1.example.com CNAME _x2.acm-

validations.aws

example.com example.com _x1.example.com CNAME _x2.acm-

validations.aws

www.example.com example.com _x3.www.example.comCNAME _x4.acm-

validations.aws

host.example.com example.com _x5.host.example.comCNAME _x6.acm-

validations.aws

subdomain.example.comsubdomain.example.com_x7.subdomain.example.comCNAME _x8.acm-

validations.aws

host.subdomain.example.comsubdomain.example.com_x9.host.subdomain.example.comCNAME _x10.acm-

validations.aws

DNS validation has a number of advantages over email validation:

Version 1.0

AWS Certiﬁcate Manager User Guide

Validate with DNS

• DNS requires that you create only one CNAME record per domain name when you request an ACM

Certiﬁcate. Email validation sends up to eight email messages per domain name.

• You can request additional ACM Certiﬁcates for your FQDN for as long as the DNS record remains in

place. That is, you can create multiple certiﬁcates that have the same domain name. You do not need

to get a new CNAME record. There are many reasons to do this. You might, for example, want new

certiﬁcates that cover diﬀerent subdomains. You might want to create the same certiﬁcate in multiple

regions (the validation token works for any region). You might want to replace a certiﬁcate that you

deleted.

• ACM automatically renews ACM Certiﬁcates that you validated by using DNS. ACM renews each

certiﬁcate before it expires as long as the certiﬁcate is in use and the DNS record is in place.

• ACM can add the CNAME record for you if you use Route53 to manage your public DNS records.

• You can more easily automate the DNS validation process than you can the email validation process.

Note however that you may be required to use email validation if you do not have permission to modify

the DNS records for your domain.

To use DNS validation:

1. Sign into the AWS Management Console and open the ACM console at https://

console.aws.amazon.com/acm/home. If the introductory page appears, choose Get Started.

Otherwise, choose Request a certiﬁcate.

2. On the Request a certiﬁcate page, type your domain name. For more information about typing

domain names, see Request a Public Certiﬁcate (p. 20).

3. To add more domain names to the ACM Certiﬁcate, type other names as text boxes open beneath

the name you just typed.

4. Choose Next.

5. Choose DNS validation.

6. Choose Review and request. Verify that the domain name and validation method are correct.

7. Choose Conﬁrm and request.

8. On the Validation page, expand your domain information or choose Export DNS conﬁguration to a

ﬁle. If you expand your domain information, ACM displays the name and value of the CNAME record

you must add to your DNS database to validate that you control the domain.

Version 1.0

AWS Certiﬁcate Manager User Guide

Validate with DNS

9. The Create record in Route 53 button appears if the following conditions are true:

• You use Route53 as your DNS provider.

• You are hosting the domain in Route53.

• You have permission to write to the Route53, hosted zone.

• Your FQDN has not already been validated.

If your FQDN has already been validated or if you don't have permission to write to the Route53

hosted zone for the domain name you are requesting, the Create record in Route 53 button will

appear disabled. For more information about Route53 record sets, see Working with Resource

Record Sets.

Note

Currently, you cannot programmatically request that ACM automatically create your record

in Route53. You can, however, make a AWS CLI or API call to Route53 to create the record.

10. Add the record from the console or the exported ﬁle to your database. For more information about

adding DNS records, see Adding a CNAME to Your Database (p. 28). You can choose Continue to

skip this step. You can return to it later by opening the certiﬁcate request in the console.

Note

If your FQDN was validated when you requested a previous certiﬁcate and you are

requesting another certiﬁcate for the same FQDN, you do not need to add another DNS

record.

Note

Adding a CNAME record that contains a domain name (such as .example.com) might

result in duplication of the domain name (such as .example.com.example.com). To avoid

duplication, you can manually copy only the part of the CNAME that you need. This would

be of the form _3639ac514e785e898d2646601fa951d5.

11. After updating your DNS conﬁguration, choose Continue. ACM displays a table view that includes all

of your certiﬁcates. The certiﬁcate you requested and its status is displayed. After your DNS provider

propagates your record update, it can take up to several hours for ACM to validate the domain name

and issue the certiﬁcate. During this time, ACM shows the validation status as Pending validation.

After validating the domain name, ACM changes the validation status to Success. After AWS issues

the certiﬁcate, ACM changes the certiﬁcate status to Issued.

Note

If ACM is not able to validate the domain name within 72 hours from the time it generates a

CNAME value for you, ACM changes the certiﬁcate status to Validation timed out. The most

likely reason for this result is that you did not update your DNS conﬁguration with the value

that ACM generated. To remedy this issue, you must request a new certiﬁcate.

Version 1.0

AWS Certiﬁcate Manager User Guide

Adding a CNAME to Your Database

To use DNS validation, you must be able to add a CNAME record to the DNS conﬁguration for your

domain. If Route53 is not your DNS provider, contact your provider to ﬁnd out how to add records. If

Route53 is your provider, ACM can create the CNAME record for you as discussed previously in step 9. If

you want to add the record yourself, see Editing Resource Record Sets in the Route53 Developer Guide.

Note

If you do not have permission to edit your DNS conﬁguration, you must use email validation.

Deleting a CNAME from Your Database

ACM automatically renews your certiﬁcate for as long as the certiﬁcate is in use and the CNAME record

that ACM created for you remains in place in your DNS database. You can stop automatic renewal by

removing the certiﬁcate from the AWS service with which it is associated or by deleting the CNAME

record. If Route53 is not your DNS provider, contact your provider to ﬁnd out how to delete the record.

If Route53 is your provider, see Deleting Resource Record Sets in the Route53 Developer Guide. For

more information about managed certiﬁcate renewal, see Managed Renewal for ACM's Amazon-Issued

Certiﬁcates (p. 38).

Use Email to Validate Domain Ownership

Before the Amazon certiﬁcate authority (CA) can issue a certiﬁcate for your site, AWS Certiﬁcate Manager

(ACM) must verify that you own or control all of the domains that you speciﬁed in your request. You can

perform veriﬁcation using either email or DNS. This topic discusses email validation. For information

about DNS validation, see Use DNS to Validate Domain Ownership (p. 25).

Note

Validation applies only to certiﬁcates provided by AWS Certiﬁcate Manager (ACM). ACM does not

validate domain ownership for imported certiﬁcates (p. 44). If you have trouble validating

an ACM Certiﬁcate, see Troubleshoot Certiﬁcate Validation Problems (p. 100). If you are not

receiving email, see Not Receiving Validation Email (p. 95).

AWS Certiﬁcate Manager (ACM) sends email to the 3 contact addresses listed in WHOIS and to 5

common system addresses for each domain that you specify. That is, up to 8 email messages will be sent

for every domain name and subject alternative name that you include in your request. For example, if

Version 1.0

AWS Certiﬁcate Manager User Guide

Validate with Email

you specify only 1 domain name, you will receive up to 8 email messages. To validate, you must act on 1

of these 8 messages within 72 hours. If you specify 3 domain names, you will receive up to 24 messages.

To validate, you must act on at least 3 of these emails, 1 for each name that you speciﬁed, within 72

hours.

Email is sent to the following three registered contact addresses in WHOIS:

• Domain registrant

• Technical contact

• Administrative contact

Note

Some registrars allow you to hide your contact information in your WHOIS listing, and others

allow you to substitute your real email address with a privacy (or proxy) address. To prevent

problems with receiving the domain validation email from ACM, ensure that your contact

information is visible in WHOIS. If your WHOIS listing shows a privacy email address, ensure that

email sent to that address is forwarded to your real email address. Or simply list your real email

address instead.

If you use the console to request a certiﬁcate, ACM performs an MX lookup to determine which servers

accept email for your domain and sends mail to the following ﬁve common system addresses for ﬁrst

domain found. If you use the RequestCertiﬁcate API or the request-certiﬁcate AWS CLI command,

ACM does not perform an MX lookup. Instead, it sends email to the domain name you specify in the

DomainName parameter or in the optional ValidationDomain parameter. For more information, see

MX Record (p. 17).

• administrator@your_domain_name

• hostmaster@your_domain_name

• postmaster@your_domain_name

• webmaster@your_domain_name

• admin@your_domain_name

For more information about how ACM determines the email addresses for your domains, see (Optional)

Conﬁgure Email for Your Domain (p. 17).

The console shows where the validation email messages have been sent for the ﬁrst domain name you

specify in your request. The email is sent from no-reply@certiﬁcates.amazon.com.

Version 1.0

AWS Certiﬁcate Manager User Guide

Validate with Email

Note

There is an exception to the process described above. If you request an ACM Certiﬁcate

for a domain name that begins with www or a wildcard asterisk (*), ACM removes the

leading www or asterisk and sends email to the administrative addresses. These addresses

are formed by prepending admin@, administrator@, hostmaster@, postmaster@, and

webmaster@ to the remaining portion of the domain name. For example, if you request an

ACM Certiﬁcate for www.example.com, email is sent to admin@example.com rather than to

admin@www.example.com. Likewise, if you request an ACM Certiﬁcate for *.test.example.com,

email is sent to admin@test.example.com. The remaining common administrative addresses are

similarly formed.

Note

Ensure that email is sent to the administrative addresses for an apex domain, such

as example.com, rather than to the administrative addresses for a subdomain, such

as test.example.com. To do that, specify the ValidationDomain option in the

RequestCertiﬁcate API or the request-certiﬁcate AWS CLI command. This feature is not currently

supported when you use the console to request a certiﬁcate.

The following example shows the validation email that is sent for every domain name that you specify in

your certiﬁcate request.

Version 1.0

AWS Certiﬁcate Manager User Guide

Validate with Email

Choose the link that sends you to the Amazon Certiﬁcate Approvals website and then choose I Approve.

After choosing I Approve, a website opens to indicate that your request was successful.

Version 1.0

AWS Certiﬁcate Manager User Guide

List Certiﬁcates

You can navigate back to the ACM console by clicking a link on the success page. It can take up to several

hours for ACM to validate the domain name and issue the certiﬁcate. During this time, ACM shows the

validation status as Pending validation. After validating the domain name, ACM changes the validation

status to Success. After AWS issues the certiﬁcate, ACM changes the certiﬁcate status to Issued.

List ACM–Managed Certiﬁcates

You can use the ACM console or AWS CLI to list the certiﬁcates managed by ACM

Topics

•List Certiﬁcates (Console) (p. 32)

•List Certiﬁcates (CLI) (p. 33)

List Certiﬁcates (Console)

Display Certiﬁcate Information

Each certiﬁcates occupies a row in the console. By default, the following columns are displayed for each

certiﬁcate:

•Domain Name – The fully qualiﬁed domain name for the certiﬁcate.

•Additional Names – Additional names that are supported by this certiﬁcate.

•Status – Certiﬁcate status. This can be any of the following values:

Version 1.0

AWS Certiﬁcate Manager User Guide

List Certiﬁcates (CLI)

• Pending validation

• Issued

• Inactive

• Expired

• Revoked

• Failed

• Timed out

•In Use? – Whether the ACM Certiﬁcate is actively associated with an AWS service such as Elastic Load

Balancing or CloudFront. The value can be No or Yes.

Customize the Console Display

You can select the columns that you want to display by choosing the gear icon ( ) in the upper

right corner of the console. You can select from among the following columns.

List Certiﬁcates (CLI)

You can use the list-certiﬁcates command to list your ACM-managed certiﬁcates.

aws acm list-certificates --max-items 10

The list-certificates command outputs the following information.

{

"CertificateSummaryList": [

{

"CertificateArn":

"arn:aws:acm:region:account:certificate/123456789012-1234-1234-1234-12345678",

"DomainName": "example.com"

{

"CertificateArn":

"arn:aws:acm:region:account:certificate/123456789012-1234-1234-1234-12345678",

"DomainName": "mydomain.com"

}

]

Version 1.0

AWS Certiﬁcate Manager User Guide

Describe Certiﬁcates

}

By default, only certiﬁcates that are supported by Services Integrated with AWS Certiﬁcate

Manager (p. 9) are listed. That is, only certiﬁcates with keyTypes RSA_1024 and RSA_2048 are returned.

To see other certiﬁcates that you own or control that use a diﬀerent algorithm and bit size, use the --

includes parameter as shown in the following example. The parameter allows you to specify a member

of the Filters structure.

aws acm list-certificates --max-items 10 --includes keyTypes=RSA_4096

Describe ACM Certiﬁcates

You can use the ACM console or the AWS CLI to list metadata about your certiﬁcates.

Topics

•Describe Certiﬁcates (Console) (p. 34)

•Describe Certiﬁcates (CLI) (p. 34)

Describe Certiﬁcates (Console)

To show certiﬁcate metadata, select the arrow to the immediate left of the domain name. The console

displays information similar to the following.

Describe Certiﬁcates (CLI)

You can use the AWS CLI to get information about an issued certiﬁcate, delete a certiﬁcate, or resend

validation email.

Retrieve ACM Certiﬁcate Fields

You can use the describe-certiﬁcate command list the metadata for a certiﬁcate.

Version 1.0

AWS Certiﬁcate Manager User Guide

Describe Certiﬁcates (CLI)

aws acm describe-certificate --certificate-arn

arn:aws:acm:region:account:certificate/12345678-1234-1234-1234-123456789012

The describe-certificate command outputs the following information.

{

"Certificate": {

"CertificateArn":

"arn:aws:acm:region:account:certificate/12345678-1234-1234-1234-123456789012",

"Status": "EXPIRED",

"Options": {

"CertificateTransparencyLoggingPreference": "ENABLED"

"SubjectAlternativeNames": [

"example.com",

"www.example.com"

"DomainName": "gregpe.com",

"NotBefore": 1450137600.0,

"RenewalEligibility": "INELIGIBLE",

"NotAfter": 1484481600.0,

"KeyAlgorithm": "RSA-2048",

"InUseBy": [

"arn:aws:cloudfront::account:distribution/E12KXPQHVLSYVC"

"SignatureAlgorithm": "SHA256WITHRSA",

"CreatedAt": 1450212224.0,

"IssuedAt": 1450212292.0,

"KeyUsages": [

{

"Name": "DIGITAL_SIGNATURE"

{

"Name": "KEY_ENCIPHERMENT"

}

"Serial": "07:71:71:f4:6b:e7:bf:63:87:e6:ad:3c:b2:0f:d0:5b",

"Issuer": "Amazon",

"Type": "AMAZON_ISSUED",

"ExtendedKeyUsages": [

{

"OID": "1.3.6.1.5.5.7.3.1",

"Name": "TLS_WEB_SERVER_AUTHENTICATION"

{

"OID": "1.3.6.1.5.5.7.3.2",

"Name": "TLS_WEB_CLIENT_AUTHENTICATION"

}

"DomainValidationOptions": [

{

"ValidationEmails": [

"hostmaster@example.com",

"admin@example.com",

"postmaster@example.com",

"webmaster@example.com",

"administrator@example.com"

"ValidationDomain": "example.com",

"DomainName": "example.com"

{

"ValidationEmails": [

"hostmaster@example.com",

Version 1.0

AWS Certiﬁcate Manager User Guide

Delete Certiﬁcates

"admin@example.com",

"postmaster@example.com",

"webmaster@example.com",

"administrator@example.com"

"ValidationDomain": "www.example.com",

"DomainName": "www.example.com"

}

"Subject": "CN=example.com"

}

Delete ACM–Managed Certiﬁcates

You can use the ACM console or the AWS CLI to delete a certiﬁcate.

Topics

•Delete Certiﬁcates (Console) (p. 36)

•Delete Certiﬁcates (CLI) (p. 36)

Delete Certiﬁcates (Console)

In the list of certiﬁcates, select the check box for the ACM Certiﬁcate that you want to delete. For

Actions, choose Delete.

Note

You cannot delete an ACM Certiﬁcate that is being used by another AWS service. To delete a

certiﬁcate that is in use, you must ﬁrst remove the certiﬁcate association.

Delete Certiﬁcates (CLI)

You can use the delete-certiﬁcate command list the metadata for a certiﬁcate.

aws acm delete-certificate --certificate-arn

arn:aws:acm:region:123456789012:certificate/12345678-1234-1234-1234-123456789012

Install ACM Certiﬁcates

You cannot use ACM to directly install your ACM Certiﬁcate on your AWS based website or application.

You must use one of the services integrated with ACM. For more information, see Services Integrated

with AWS Certiﬁcate Manager (p. 9).

Resend Validation Email (Optional)

You can use email to validate that you own or control a domain. Each email contains a validation token

that you can use to approve a certiﬁcate request. However, because the validation email required for

the approval process can be blocked by spam ﬁlters or lost in transit, the validation token automatically

expires after 72 hours. If you do not receive the original email or the token has expired, you can request

that the email be resent.

Version 1.0

AWS Certiﬁcate Manager User Guide

Resend Email (Console)

Topics

•Resend Email (Console) (p. 37)

•Resend Email (CLI) (p. 37)

Resend Email (Console)

Select the check box for the pending certiﬁcate, choose Actions, and then choose Resend validation

email. If the 72-hour period has passed and the certiﬁcate status has changed to Timed out, you cannot

resend validation email.

Note

The preceding information applies only to certiﬁcates provided by ACM and only to certiﬁcates

that use email validation. Validation email is not required for certiﬁcates that you imported into

ACM (p. 44).

Note

Resending validation email applies only to certiﬁcates that use email validation, not DNS

validation. For more information about DNS domain validation, see Use DNS to Validate Domain

Ownership (p. 25).

Resend Email (CLI)

You can use the resend-validation-email command to resend email.

aws acm resend-validation-email --certificate-arn

arn:aws:acm:region:account:certificate/12345678-1234-1234-1234-123456789012 --validation-

domain example.com

Note

The resend-validation-email command applies only to ACM certiﬁcates for which you are using

email validation. Validation is not required for certiﬁcates that you have imported into ACM or

for private certiﬁcates that you manage using ACM.

Version 1.0

AWS Certiﬁcate Manager User Guide

Domain Validation

Managed Renewal for ACM's

Amazon-Issued Certiﬁcates

ACM provides managed renewal for your Amazon-issued SSL/TLS certiﬁcates. This includes both public

and private certiﬁcates issued by using ACM. ACM tries to renew the certiﬁcates before they expire. If

possible, ACM renews your certiﬁcates automatically with no action required from you.

Note

Automatic renewal is not available for ACM Private CA certiﬁcates for which ACM does not

create the private key and certiﬁcate signing request (CSR), such as certiﬁcates issued directly

from your ACM Private CA without ACM certiﬁcate management. Additionally, automatic

renewal is not available for imported certiﬁcates (p. 44). For more information, see How

Manual Domain Validation Works.

Note

When ACM renews a certiﬁcate, the certiﬁcate's Amazon Resource Name (ARN) remains the

same. Also, ACM Certiﬁcates are regional resources (p. 8). If you have certiﬁcates for the same

domain name in multiple AWS Regions, ACM renews each of these certiﬁcates independently.

Important

Your ACM Certiﬁcate must be actively associated with a supported AWS service before it can be

automatically renewed. For information about the resources that ACM supports, see Services

Integrated with AWS Certiﬁcate Manager (p. 9).

For more information about managed certiﬁcate renewal, see the following topics. If you encounter

problems with managed renewal, see Troubleshoot Managed Certiﬁcate Renewal Problems (p. 99).

Topics

•How Domain Validation Works (p. 38)

•Check a Certiﬁcate's Renewal Status (p. 40)

•Request a Domain Validation Email for Certiﬁcate Renewal (p. 42)

How Domain Validation Works

Before renewing a certiﬁcate, ACM tries to automatically validate each domain name in the certiﬁcate.

For more information, see How Automatic Domain Validation Works (p. 38). If ACM can't

automatically validate a domain name, it notiﬁes you that you need to take action to manually validate

it. For more information, see When Automatic Validation Fails (p. 39). If the certiﬁcate is in use

(associated with an AWS service that is integrated with ACM) and if all of the domain names in the

certiﬁcate can be validated, ACM renews the certiﬁcate.

Topics

•How Automatic Domain Validation Works (p. 38)

•When Automatic Validation Fails (p. 39)

How Automatic Domain Validation Works

To validate a domain, ACM sends automated, periodic HTTPS requests to it. For domains that start

with www., ACM also sends HTTPS requests to the parent domain. For example, if your domain is

www.example.com, ACM sends periodic requests to www.example.com and to example.com. For

Version 1.0

AWS Certiﬁcate Manager User Guide

When Automatic Validation Fails

domains that don't start with www., ACM also sends HTTPS requests to www.domain. ACM treats

wildcard domain names (for example, *.example.com) the same as the parent domain. For examples,

see the following table.

Note

If any HTTPS connection attempt is successful, ACM attempts to renew the certiﬁcate

automatically.

Example domain names that ACM uses for automatic validation

Domain name in the certiﬁcate Domain names that ACM use for automatic

validation

example.com example.com

www.example.com

www.example.com www.example.com

example.com

*.example.com example.com

www.example.com

subdomain.example.com subdomain.example.com

www.subdomain.example.com

www.subdomain.example.com www.subdomain.example.com

subdomain.example.com

*.subdomain.example.com subdomain.example.com

www.subdomain.example.com

If ACM successfully establishes an HTTPS connection, ACM examines the certiﬁcate that is returned to

ensure it matches the one that ACM is renewing. If the certiﬁcate matches, ACM considers the domain

name validated.

When Automatic Validation Fails

If ACM is unable to automatically validate one or more domain names in a certiﬁcate, ACM notiﬁes you

that you need to take action to manually validate the domain. A domain can require manual validation

for the following reasons:

• ACM can't establish an HTTPS connection with the domain.

• The certiﬁcate that is returned in the response to the HTTPS requests doesn't match the one that ACM

is renewing.

When your certiﬁcate is 45 days from expiration and one or more domain names in the certiﬁcate

requires manual validation, ACM notiﬁes you in the following ways:

By email to the domain owner (email validation)

If you originally used email validation when you requested the certiﬁcate, ACM sends email to the

domain owner for each domain name that requires manual validation. To ensure that this email

Version 1.0

AWS Certiﬁcate Manager User Guide

Check Renewal Status

can be received, the domain owner must correctly conﬁgure email for each domain. For more

information, see (Optional) Conﬁgure Email for Your Domain (p. 17). The email contains a link that

you can follow to perform the validation. This link expires after 72 hours. If necessary, you can

use the AWS Certiﬁcate Manager console, AWS CLI, or API to request that ACM resend the domain

validation email. For more information, see Request a Domain Validation Email for Certiﬁcate

Renewal (p. 42).

By email to your AWS account (DNS validation)

If you originally used DNS validation when you requested your certiﬁcate, ACM sends email to the

address associated with your AWS account. The email informs you that ACM encountered a problem

when attempting to renew your certiﬁcate. The most likely problems are that the original CNAME

record is no longer in place or that your certiﬁcate is not associated with an AWS service that is

integrated with ACM. If you want to validate your domain and renew your certiﬁcate, you must edit

your DNS conﬁguration to ensure that the original CNAME record is in place. In addition, and you

must make sure that your ACM Certiﬁcate is in use. For more information about DNS validation, see

Use DNS to Validate Domain Ownership (p. 25).

By notiﬁcation in your AWS Personal Health Dashboard

ACM sends notiﬁcations to your AWS Personal Health Dashboard to let you know that one or more

domain names in the certiﬁcate require renewal. ACM sends these notiﬁcations when your certiﬁcate

is 45 days, 30 days, 15 days, 7 days, 3 days, and 1 day from expiration. These notiﬁcations are

informational only.

Check a Certiﬁcate's Renewal Status

You can use the AWS Certiﬁcate Manager console, the ACM API, the AWS CLI, or the Personal Health

Dashboard to check the renewal status of an ACM Certiﬁcate. If you use the console, AWS CLI, or ACM

API, certiﬁcate renewal can have one of the four possible status values listed below. Similar values are

displayed if you use the Personal Health Dashboard.

Pending automatic renewal

ACM is attempting to automatically validate the domain names in the certiﬁcate. For more

information, see How Domain Validation Works (p. 38). No further action is required.

Pending validation

ACM couldn't automatically validate one or more domain names in the certiﬁcate. You must take

action to validate these domain names or the certiﬁcate won't be renewed. If you originally used

email validation for the certiﬁcate, look for an email from ACM and then follow the link in that email

to perform the validation. If you used DNS validation, check to make sure your DNS record exists and

that your certiﬁcate remains in use.

Success

All domain names in the certiﬁcate are validated, and ACM renewed the certiﬁcate. No further action

is required.

Failed

One or more domain names were not validated before the certiﬁcate expired, and ACM did not

renew the certiﬁcate. You can request a new certiﬁcate (p. 20).

Note

It can take up to several hours for changes to the certiﬁcate status to become available.

Topics

•Check the status (console) (p. 41)

Version 1.0

AWS Certiﬁcate Manager User Guide

Check the status (console)

•Check the status (API) (p. 41)

•Check the status (CLI) (p. 41)

•Check the status (PHD) (p. 41)

Check the status (console)

The following procedure discusses how to use the ACM console to check the renewal status of an ACM

Certiﬁcate.

1. Open the AWS Certiﬁcate Manager console at https://console.aws.amazon.com/acm/home.

2. Expand a certiﬁcate to view its details.

3. Find the Renewal Status in the Details section. If you don't see the status, ACM hasn't started the

managed renewal process for this certiﬁcate.

Check the status (API)

For a Java example that shows how to use the DescribeCertiﬁcate action to check the status, see

Describing a Certiﬁcate (p. 77).

Check the status (CLI)

The following example shows how to check the status of your ACM certiﬁcate renewal with the AWS

Command Line Interface (AWS CLI).

$ aws acm describe-certificate --certificate-arn

arn:aws:acm:region:123456789012:certificate/97b4deb6-8983-4e39-918e-ef1378924e1e

In the response, note the value in the RenewalStatus ﬁeld. If you don't see the RenewalStatus ﬁeld,

ACM hasn't started the managed renewal process for your certiﬁcate.

Check the status (PHD)

ACM attempts to automatically renew your ACM Certiﬁcate sixty days prior to expiration. See How

Domain Validation Works (p. 38). If ACM cannot automatically renew your certiﬁcate, it sends

certiﬁcate renewal event notices to your Personal Health Dashboard at 45 day, 30 day, 15 day, 7 day, 3

day, and 1 day intervals from expiration to inform you that you need to take action. The Personal Health

Dashboard is part of the AWS Health service. It requires no setup and can be viewed by any user that is

authenticated in your account. For more information, see AWS Health User Guide.

To use the Personal Health Dashboard:

1. Log in to the Personal Health Dashboard at https://phd.aws.amazon.com/phd/home#/.

2. Choose Event log.

3. For Filter by tags or attributes, choose Service.

4. Choose Certiﬁcate Manager.

5. Choose Apply.

6. For Event category choose Scheduled Change.

7. Choose Apply.

If ACM has recently renewed an ACM Certiﬁcate, you will see information similar to the following.

Version 1.0

AWS Certiﬁcate Manager User Guide

Request Email (Optional)

Request a Domain Validation Email for Certiﬁcate

Renewal

After you have conﬁgured contact email addresses for your domain (see (Optional) Conﬁgure Email for

Your Domain (p. 17)), you can use the AWS Certiﬁcate Manager console or the ACM API to request that

ACM send you a domain validation email for your certiﬁcate renewal. You should do this in the following

circumstances:

• You used email validation when initially requesting your ACM Certiﬁcate.

• Your certiﬁcate's renewal status is pending validation. For information about determining a

certiﬁcate's renewal status, see Check a Certiﬁcate's Renewal Status (p. 40).

• You didn't receive or can't ﬁnd the original domain validation email that ACM sent for certiﬁcate

renewal.

Version 1.0

AWS Certiﬁcate Manager User Guide

Request Email (Optional)

To request that ACM resend the domain validation email (console)

1. Open the AWS Certiﬁcate Manager console at https://console.aws.amazon.com/acm/home.

2. Select the check box next to the certiﬁcate that requires manual domain validation. Then choose

Actions, Resend validation email.

To request that ACM resend the domain validation email (ACM API)

Use the ResendValidationEmail operation in the ACM API. In doing so, pass the ARN of the certiﬁcate, the

domain that requires manual validation, and domain where you want to receive the domain validation

emails. The following example shows how to do this with the AWS CLI. This example contains line breaks

to make it easier to read.

$ aws acm resend-validation-email --certificate-arn arn:aws:acm:us-

east-2:111122223333:certificate/97b4deb6-8983-4e39-918e-ef1378924e1e

--domain subdomain.example.com

--validation-domain example.com

Version 1.0

AWS Certiﬁcate Manager User Guide

Prerequisites

Importing Certiﬁcates into AWS

Certiﬁcate Manager

In addition to requesting SSL/TLS certiﬁcates provided by AWS Certiﬁcate Manager (ACM), you can

import certiﬁcates that you obtained outside of AWS. You might do this because you already obtained

a certiﬁcate from a third-party issuer, or because the certiﬁcates provided by ACM do not meet your

requirements.

After you import an SSL/TLS certiﬁcate obtained outside of AWS and associated it with services

integrated with ACM, you can reimport that certiﬁcate while preserving its associations.

After you import a certiﬁcate, you can use it with the AWS services that are integrated with ACM (p. 9).

The certiﬁcates that you import work the same as those provided by ACM, with one important exception:

ACM does not provide managed renewal (p. 38) for imported certiﬁcates.

Important

You are responsible for monitoring the expiration date of your imported certiﬁcates and for

renewing them before they expire. If you import a new certiﬁcate with the same ARN as the

expiring certiﬁcate, the new certiﬁcate replaces the old one. In addition, ACM associates the new

certiﬁcate with the same services and resources as the old certiﬁcate.

Important

We recommend that you do not pin an ACM Certiﬁcate. For more information, see Certiﬁcate

Pinning (p. 12) and Troubleshoot Certiﬁcate Pinning Problems (p. 97).

To renew an imported certiﬁcate, you can obtain a new certiﬁcate from your certiﬁcate issuer and then

import it to ACM, or you can request a new certiﬁcate (p. 20) from ACM.

All certiﬁcates in ACM are regional resources, including the certiﬁcates that you import. To use the same

certiﬁcate with Elastic Load Balancing load balancers in diﬀerent AWS regions, you must import the

certiﬁcate into each region where you want to use it. To use a certiﬁcate with Amazon CloudFront, you

must import it into the US East (N. Virginia) region. For more information, see Supported Regions (p. 8).

For information about how to import certiﬁcates into ACM, see the following topics. If you encounter

problems importing a certiﬁcate, see Troubleshoot Certiﬁcate Importing Problems (p. 97).

Topics

•Prerequisites for Importing Certiﬁcates (p. 44)

•Certiﬁcate and Key Format for Importing (p. 45)

•Import a Certiﬁcate (p. 46)

•Reimport a Certiﬁcate (p. 47)

Prerequisites for Importing Certiﬁcates

To import a self–signed SSL/TLS certiﬁcate into ACM, you must provide the certiﬁcate and its private key.

To import a signed certiﬁcate, you must also include the certiﬁcate chain. Your certiﬁcate must satisfy

the following criteria:

• The certiﬁcate must specify an algorithm and key size. Currently, the following public key algorithms

are supported by ACM:

Version 1.0

AWS Certiﬁcate Manager User Guide

Certiﬁcate Format

• 1024-bit RSA (RSA_1024)

• 2048-bit RSA (RSA_2048)

• 4096-bit RSA (RSA_4096)

• Elliptic Prime Curve 256 bit (EC_prime256v1)

• Elliptic Prime Curve 384 bit (EC_secp384r1)

• Elliptic Prime Curve 521 bit (EC_secp521r1)

Important

Note that integrated services allow only algorithms and key sizes they support to be associated

with their resources. Further, their support diﬀers depending on whether the certiﬁcate is

imported into IAM or into ACM. For more information, see the documentation for each service.

• For Elastic Load Balancing, see HTTPS Listeners for Your Application Load Balancer.

• For CloudFront, see Supported SSL/TLS Protocols and Ciphers.

• The certiﬁcate must be an SSL/TLS X.509 version 3 certiﬁcate. It must contain a public key, the fully

qualiﬁed domain name (FQDN) for your website, and information about the issuer. The certiﬁcate can

be self-signed by your private key or by the private key of an issuing CA. If your certiﬁcate is signed by

a CA, you must include the certiﬁcate chain when you import your certiﬁcate.

• The certiﬁcate must be valid at the time of import. You cannot import a certiﬁcate before its validity

period begins or after it expires. The NotBefore certiﬁcate ﬁeld contains the validity start date, and

the NotAfter ﬁeld contains the end date.

• The private key must be unencrypted. You cannot import a private key that is protected by a password

or passphrase.

• The certiﬁcate, private key, and certiﬁcate chain must be PEM–encoded. For more information and

examples, see Certiﬁcate and Key Format for Importing (p. 45).

Certiﬁcate and Key Format for Importing

The certiﬁcate, private key, and certiﬁcate chain must be PEM–encoded. PEM stands for Privacy

Enhanced Mail. The PEM format is often used to represent certiﬁcates, certiﬁcate requests, certiﬁcate

chains, and keys. The typical extension for a PEM–formatted ﬁle is .pem, but it doesn't need to be.

The following examples illustrate the format. Note that if you edit any of the characters in a PEM ﬁle

incorrectly or if you add one or more spaces to the end of any line, the certiﬁcate, certiﬁcate chain, or

private key will be invalid.

Example PEM–encoded certiﬁcate

-----BEGINCERTIFICATE-----

Base64–encoded certificate

-----ENDCERTIFICATE-----

Example PEM–encoded certiﬁcate chain

A certiﬁcate chain contains one or more certiﬁcates. You can use a text editor, the copy command in

Windows, or the Linux cat command to concatenate your certiﬁcate ﬁles into a chain. The certiﬁcates

must be concatenated in order so that each directly certiﬁes the one preceding. Copy the root CA

certiﬁcate last. The following example contains three certiﬁcates, but your certiﬁcate chain might

contain more or fewer.

Important

Do not copy your certiﬁcate into the certiﬁcate chain.

Version 1.0

AWS Certiﬁcate Manager User Guide

Import a Certiﬁcate

-----BEGINCERTIFICATE-----

Base64–encoded certificate

-----ENDCERTIFICATE-----

-----BEGINCERTIFICATE-----

Base64–encoded certificate

-----ENDCERTIFICATE-----

-----BEGINCERTIFICATE-----

Base64–encoded certificate

-----ENDCERTIFICATE-----

Example PEM–encoded private keys

X.509 version 3 certiﬁcates utilize public key algorithms. When you create an X.509 certiﬁcate or

certiﬁcate request, you specify the algorithm and the key bit size that must be used to create the

private–public key pair. The public key is placed in the certiﬁcate or request. You must keep the

associated private key secret. Specify the private key when you import the certiﬁcate. The key must be

unencrypted. The following example shows an RSA private key.

-----BEGINRSAPRIVATEKEY-----

Base64–encoded private key

-----ENDRSAPRIVATEKEY-----

The next example shows a PEM–encoded elliptic curve private key. Depending on how you create the key,

the parameters block might not be included. If the parameters block is included, ACM removes it before

using the key during the import process.

-----BEGIN EC PARAMETERS-----

Base64–encoded parameters

-----END EC PARAMETERS-----

-----BEGIN EC PRIVATE KEY-----

Base64–encoded private key

-----END EC PRIVATE KEY-----

Import a Certiﬁcate

You can import a certiﬁcate into ACM by using the AWS Management Console, the AWS CLI, or the ACM

API. The following topics show you how to use the AWS Management Console and the AWS CLI.

Topics

•Import Using the Console (p. 46)

•Import Using the AWS CLI (p. 47)

Import Using the Console

The following example shows how to import a certiﬁcate using the AWS Management Console.

1. Open the ACM console at https://console.aws.amazon.com/acm/home.

2. Choose Import a certiﬁcate.

3. Do the following:

a. For Certiﬁcate body, paste the PEM-encoded certiﬁcate to import.

Version 1.0

AWS Certiﬁcate Manager User Guide

Import Using the AWS CLI

b. For Certiﬁcate private key, paste the PEM-encoded, unencrypted private key that matches the

certiﬁcate's public key.

Important

Currently, Services Integrated with AWS Certiﬁcate Manager (p. 9) support only the

RSA_1024 and RSA_2048 algorithms.

c. (Optional) For Certiﬁcate chain, paste the PEM-encoded certiﬁcate chain.

4. Choose Review and import.

5. Review the information about your certiﬁcate, then choose Import.

Import Using the AWS CLI

The following example shows how to import a certiﬁcate using the AWS Command Line Interface (AWS

CLI). The example assumes the following:

• The PEM-encoded certiﬁcate is stored in a ﬁle named Certificate.pem.

• The PEM-encoded certiﬁcate chain is stored in a ﬁle named CertificateChain.pem.

• The PEM-encoded, unencrypted private key is stored in a ﬁle named PrivateKey.pem.

To use the following example, replace the ﬁle names with your own and type the command on one

continuous line. The following example includes line breaks and extra spaces to make it easier to read.

$ aws acm import-certificate --certificate file://Certificate.pem

--certificate-chain file://CertificateChain.pem

--private-key file://PrivateKey.pem

If the import-certificate command is successful, it returns the Amazon Resource Name (ARN) of the

imported certiﬁcate.

Reimport a Certiﬁcate

If you imported a certiﬁcate and associated it with other AWS services, you can reimport that certiﬁcate

before it expires while preserving the AWS service associations of the original certiﬁcate. For more

information about AWS services integrated with ACM, see Services Integrated with AWS Certiﬁcate

Manager (p. 9).

The following conditions apply when you reimport a certiﬁcate:

• You can add or remove domain names.

• You cannot remove all of the domain names from a certiﬁcate.

• You can add new Key Usage extensions but existing extension values cannot be removed.

• You can add new Extended Key Usage extensions but existing extension values cannot be removed.

• The key type and size cannot be changed.

Topics

•Reimporting Using the Console (p. 48)

•Reimporting Using the AWS CLI (p. 48)

Version 1.0

AWS Certiﬁcate Manager User Guide

Reimporting Using the Console

The following example shows how to reimport a certiﬁcate using the AWS Management Console.

1. Open the ACM console at https://console.aws.amazon.com/acm/home.

2. Select or expand the certiﬁcate to reimport.

3. Open the details pane of the certiﬁcate and choose the Reimport certiﬁcate button. If you selected

the certiﬁcate by checking the box beside its name, choose Reimport certiﬁcate on the Actions

menu.

4. For Certiﬁcate body, paste the PEM-encoded end-entity certiﬁcate.

5. For Certiﬁcate private key, paste the unencrypted PEM-encoded private key associated with the

certiﬁcate's public key.

Important

Currently, Services Integrated with AWS Certiﬁcate Manager (p. 9) support only the

RSA_1024 and RSA_2048 algorithms.

6. (Optional) For Certiﬁcate chain, paste the PEM-encoded certiﬁcate chain. The certiﬁcate chain

includes one or more certiﬁcates for all intermediate issuing certiﬁcation authorities, and the root

certiﬁcate. If the certiﬁcate to be imported is self-assigned, no certiﬁcate chain is necessary.

7. Choose Review and import.

8. Review the information about your certiﬁcate. If there are no errors, choose Reimport.

Reimporting Using the AWS CLI

The following example shows how to reimport a certiﬁcate using the AWS Command Line Interface (AWS

CLI). The example assumes the following:

• The PEM-encoded certiﬁcate is stored in a ﬁle named Certificate.pem.

• The PEM-encoded certiﬁcate chain is stored in a ﬁle named CertificateChain.pem.

• The PEM-encoded, unencrypted private key is stored in a ﬁle named PrivateKey.pem.

• You have the ARN of the certiﬁcate you want to reimport.

To use the following example, replace the ﬁle names and the ARN with your own and type the command

on one continuous line. The following example includes line breaks and extra spaces to make it easier to

read.

Note

To reimport a certiﬁcate, you must specify the certiﬁcate ARN.

$ aws acm import-certificate --certificate file://Certificate.pem

--certificate-chain file://CertificateChain.pem

--private-key file://PrivateKey.pem

--certificate-

arn arn:aws:acm:region:123456789012:certificate/12345678-1234-1234-1234-12345678901

If the import-certificate command is successful, it returns the Amazon Resource Name (ARN) of the

certiﬁcate.

Version 1.0

AWS Certiﬁcate Manager User Guide

Tag Restrictions

Tagging AWS Certiﬁcate Manager

Certiﬁcates

A tag is a label that you can assign to an ACM Certiﬁcate. Each tag consists of a key and a value. You can

use the AWS Certiﬁcate Manager console, AWS Command Line Interface (AWS CLI), or ACM API to add,

view, or remove tags for ACM Certiﬁcates. You can choose which tags to display in the ACM console.

You can create custom tags that suit your needs. For example, you could tag multiple ACM Certiﬁcates

with an Environment = Prod or Environment = Beta tag to identify which environment each ACM

Certiﬁcate is intended for. The following list includes a few additional examples of other custom tags:

•Admin = Alice

•Purpose = Website

•Protocol = TLS

•Registrar = Route53

Other AWS resources also support tagging. You can, therefore, assign the same tag to diﬀerent resources

to indicate whether those resources are related. For example, you can assign a tag such as Website =

example.com to the ACM Certiﬁcate, the load balancer, and other resources used for your example.com

website.

Topics

•Tag Restrictions (p. 49)

•Managing Tags (p. 49)

Tag Restrictions

The following basic restrictions apply to ACM Certiﬁcate tags:

• The maximum number of tags per ACM Certiﬁcate is 50.

• The maximum length of a tag key is 127 characters.

• The maximum length of a tag value is 255 characters.

• Tag keys and values are case sensitive.

• The aws: preﬁx is reserved for AWS use; you cannot add, edit, or delete tags whose key begins with

aws:. Tags that begin with aws: do not count against your tags-per-resource limit.

• If you plan to use your tagging schema across multiple services and resources, remember that other

services may have other restrictions for allowed characters. Refer to the documentation for that

service.

• ACM Certiﬁcate tags are not available for use in the AWS Management Console's Resource Groups and

Tag Editor.

Managing Tags

You can add, edit, and delete tags by using the AWS Management Console, the AWS Command Line

Interface, or the AWS Certiﬁcate Manager API.

Version 1.0

AWS Certiﬁcate Manager User Guide

Managing Tags (Console)

You can use the AWS Management Console to add, delete, or edit tags. You can also display tags in

columns.

Adding a Tag (Console)

Use the following procedure to add tags by using the ACM console.

To add a tag to a certiﬁcate (console)

1. Sign into the AWS Management Console and open the AWS Certiﬁcate Manager console at https://

console.aws.amazon.com/acm/home.

2. Choose the arrow next to the certiﬁcate that you want to tag.

3. In the details pane, scroll down to Tags.

4. Choose Edit and Add Tag.

5. Type a key and a value for the tag.

6. Choose Save.

Deleting a Tag (Console)

Use the following procedure to delete tags by using the ACM console.

To delete a tag (console)

1. Sign into the AWS Management Console and open the AWS Certiﬁcate Manager console at https://

console.aws.amazon.com/acm/home.

2. Choose the arrow next to the certiﬁcate with a tag that you want to delete.

3. In the details pane, scroll down to Tags.

4. Choose Edit.

5. Choose the X next to the tag you want to delete.

6. Choose Save.

Editing a Tag (Console)

Use the following procedure to edit tags by using the ACM console.

To edit a tag (console)

1. Sign into the AWS Management Console and open the AWS Certiﬁcate Manager console at https://

console.aws.amazon.com/acm/home.

2. Choose the arrow next to certiﬁcate you want to edit.

3. In the details pane, scroll down to Tags.

4. Choose Edit.

5. Modify the key or value of the tag you want to change.

6. Choose Save.

Showing Tags in Columns (Console)

Use the following procedure to show tags in columns in the ACM console.

Version 1.0

AWS Certiﬁcate Manager User Guide

Managing Tags (AWS Command Line Interface)

To display tags in columns (console)

1. Sign into the AWS Management Console and open the AWS Certiﬁcate Manager console at https://

console.aws.amazon.com/acm/home.

Choose the tags that you want to display as columns by choosing the gear icon in the upper

right corner of the console.

3. Select the check box beside the tag that you want to display in a column.

Managing Tags (AWS Command Line Interface)

Refer to the following topics to learn how to add, list, and delete tags by using the AWS CLI.

•add-tags-to-certiﬁcate

•list-tags-for-certiﬁcate

•remove-tags-from-certiﬁcate

Managing Tags (AWS Certiﬁcate Manager API)

Refer to the following topics to learn how to add, list, and delete tags by using the API.

•AddTagsToCertiﬁcate

•ListTagsForCertiﬁcate

•RemoveTagsFromCertiﬁcate

Version 1.0

AWS Certiﬁcate Manager User Guide

Authentication

Authentication and Access Control

Access to ACM requires credentials that AWS can use to authenticate your requests. The credentials

must have permissions to access AWS resources such as ACM Certiﬁcates. The following sections provide

details on how you can use AWS Identity and Access Management (IAM) and ACM to help secure your

resources by controlling who can access them.

Topics

•Authentication (p. 52)

•Access Control (p. 53)

Authentication

You can access AWS as any of the following types of identities:

•AWS account root user – When you ﬁrst create an AWS account, you begin with a single sign-in

identity that has complete access to all AWS services and resources in the account. This identity is

called the AWS account root user and is accessed by signing in with the email address and password

that you used to create the account. We strongly recommend that you do not use the root user for

your everyday tasks, even the administrative ones. Instead, adhere to the best practice of using the

root user only to create your ﬁrst IAM user. Then securely lock away the root user credentials and use

them to perform only a few account and service management tasks.

•IAM user – An IAM user is an identity within your AWS account that has speciﬁc custom permissions

(for example, permissions to create a directory in ACM). You can use an IAM user name and password

to sign in to secure AWS webpages like the AWS Management Console, AWS Discussion Forums, or the

AWS Support Center.



In addition to a user name and password, you can also generate access keys for each user. You can

use these keys when you access AWS services programmatically, either through one of the several

SDKs or by using the AWS Command Line Interface (CLI). The SDK and CLI tools use the access keys

to cryptographically sign your request. If you don’t use AWS tools, you must sign the request yourself.

ACM supports Signature Version 4, a protocol for authenticating inbound API requests. For more

information about authenticating requests, see Signature Version 4 Signing Process in the AWS General

Reference.



•IAM role – An IAM role is an IAM identity that you can create in your account that has speciﬁc

permissions. It is similar to an IAM user, but it is not associated with a speciﬁc person. An IAM role

enables you to obtain temporary access keys that can be used to access AWS services and resources.

IAM roles with temporary credentials are useful in the following situations:



•Federated user access – Instead of creating an IAM user, you can use existing user identities from

AWS Directory Service, your enterprise user directory, or a web identity provider. These are known as

federated users. AWS assigns a role to a federated user when access is requested through an identity

provider. For more information about federated users, see Federated Users and Roles in the IAM User

Guide.

Version 1.0

AWS Certiﬁcate Manager User Guide

Access Control



•AWS service access – You can use an IAM role in your account to grant an AWS service permissions

to access your account’s resources. For example, you can create a role that allows Amazon Redshift

to access an Amazon S3 bucket on your behalf and then load data from that bucket into an Amazon

Redshift cluster. For more information, see Creating a Role to Delegate Permissions to an AWS

Service in the IAM User Guide.



•Applications running on Amazon EC2 – You can use an IAM role to manage temporary credentials

for applications that are running on an EC2 instance and making AWS API requests. This is preferable

to storing access keys within the EC2 instance. To assign an AWS role to an EC2 instance and make

it available to all of its applications, you create an instance proﬁle that is attached to the instance.

An instance proﬁle contains the role and enables programs that are running on the EC2 instance

to get temporary credentials. For more information, see Using an IAM Role to Grant Permissions to

Applications Running on Amazon EC2 Instances in the IAM User Guide.

Access Control

You can have valid credentials to authenticate your requests, but unless you have permissions you cannot

create or access ACM resources. For example, you must have permission to create, import, retrieve, or list

certiﬁcates.

The following topics describe how to manage permissions. We recommend that you read the overview

ﬁrst.

•Overview of Managing Access to Your ACM Resources (p. 53)

•AWS–Managed Policies (p. 55)

•Customer Managed Policies (p. 56)

•Inline Policies (p. 56)

•ACM API Permissions: Actions and Resources Reference (p. 58)

Overview of Managing Access to Your ACM

Resources

Every AWS resource belongs to an AWS account, and permissions to create or access the resources are

deﬁned in permissions policies in that account. An account administrator can attach permissions policies

to IAM identities (that is, users, groups, and roles). Some services (including ACM) also support attaching

permissions policies to resources.

Note

An account administrator (or administrator user) is a user with administrator permissions. For

more information, see Creating an Admin User and Group in the IAM User Guide.

When managing permissions, you decide who gets the permissions, the resources they get permissions

for, and the speciﬁc actions allowed.

Topics

•ACM Resources and Operations (p. 54)

•Understanding Resource Ownership (p. 54)

Version 1.0

AWS Certiﬁcate Manager User Guide

ACM Resources and Operations

•Managing Access to ACM Certiﬁcates (p. 54)

ACM Resources and Operations

In ACM, the primary resource is a certiﬁcate. Certiﬁcates have unique Amazon Resource Names (ARNs)

associated with them as shown in the following list.

•ACM Certiﬁcate

ARN format:

arn:aws:acm:AWS region:AWS account ID:certificate/Certificate ID

Example ARN:

arn:aws:acm:us-

west-2:123456789012:certificate/12345678-12ab-34cd-56ef-12345678

Understanding Resource Ownership

A resource owner is the AWS account that created a resource. That is, the resource owner is the AWS

account of the principal entity that authenticates the request that created the resource. (A principle

entity can be an AWS account root user, an IAM user, or an IAM role.) The following examples illustrate

how this works.

• If you use the credentials of your AWS account root user to create an ACM Certiﬁcate, your AWS

account owns the certiﬁcate.

• If you create an IAM user in your AWS account, you can grant that user permission to create an ACM

Certiﬁcate. However, the account to which that user belongs owns the certiﬁcate.

• If you create an IAM role in your AWS account and grant it permission to create an ACM Certiﬁcate,

anyone who can assume the role can create a certiﬁcate. However, the account to which the role

belongs owns the certiﬁcate.

Managing Access to ACM Certiﬁcates

A permissions policy describes who has access to what. This section explains the available options for

creating permissions policies.

Note

This section discusses using IAM in the context of ACM. It doesn't provide detailed information

about the IAM service. For complete IAM documentation, see the IAM User Guide. For

information about IAM policy syntax and descriptions, see AWS IAM Policy Reference.

You can use IAM to create policies that apply permissions to IAM users, groups, and roles. These are

called identity–based policies. IAM oﬀers the following types of identity–based policies:

•AWS–managed policies – Policies that are created and managed by AWS. These are standalone

policies that you can attach to multiple users, groups, and roles in your AWS account.

•Customer–managed policies – Policies that you create and manage in your AWS account and which

you can attach to multiple users, groups, and roles. You have more precise control when using

customer managed policies than you have when using AWS managed policies.

•Inline policies – Policies that you create and manage and which you embed directly into a single user,

group, or role.

Version 1.0

AWS Certiﬁcate Manager User Guide

AWS–Managed Policies

Other services, such as Amazon S3, also support resource–based permissions policies. For example, you

can attach a policy to an Amazon S3 bucket to manage access permissions to that bucket. ACM does not

support resource-based policies.

AWS–Managed Policies

AWS managed policies are standalone identity–based policies that you can attach to multiple users,

groups, and roles in your AWS account. AWS managed policies are created and managed by AWS. The

following AWS managed policies are available for ACM. For more information about attaching managed

policies to a user, group, or role, see Working with Managed Policies in the IAM User Guide.

To use an AWS managed policy, a user with administrative privileges must attach the policy to a user,

role, or group. For more information about attaching AWS managed policies, see Attaching Managed

Policies in the IAM User Guide.

Topics

•AWSCertiﬁcateManagerReadOnly (p. 55)

•AWSCertiﬁcateManagerFullAccess (p. 55)

AWSCertiﬁcateManagerReadOnly

This policy provides read–only access to ACM Certiﬁcates; it allows users to describe, list, and retrieve

ACM Certiﬁcates.

{

"Version": "2012-10-17",

"Statement": {

"Effect": "Allow",

"Action": [

"acm:DescribeCertificate",

"acm:ListCertificates",

"acm:GetCertificate",

"acm:ListTagsForCertificate"

"Resource": "*"

}

To view this AWS managed policy in the console, go to https://console.aws.amazon.com/iam/

home#policies/arn:aws:iam::aws:policy/AWSCertiﬁcateManagerReadOnly.

AWSCertiﬁcateManagerFullAccess

This policy provides full access to all ACM actions and resources.

{

"Version": "2012-10-17",

"Statement": [{

"Effect": "Allow",

"Action": ["acm:*"],

"Resource": "*"

}]

}

Version 1.0

AWS Certiﬁcate Manager User Guide

Customer Managed Policies

To view this AWS managed policy in the console, go to https://console.aws.amazon.com/iam/

home#policies/arn:aws:iam::aws:policy/AWSCertiﬁcateManagerFullAccess.

Customer Managed Policies

Customer managed policies are standalone identity–based policies that you create and which you can

attach to multiple users, groups, or roles in your AWS account. You can manage and create policies using

the AWS Management Console, the AWS Command Line Interface (AWS CLI), or the IAM API. For more

information, see Customer Managed Policies .

Inline Policies

Inline policies are policies that you create and manage and embed directly into a single user, group, or

role. The following policy examples show how to assign permissions to perform ACM actions. For more

information about attaching inline policies, see Working with Inline Policies in the IAM User Guide. You

can use the AWS Management Console, the AWS Command Line Interface (AWS CLI), or the IAM API to

create and embed inline policies.

Topics

•Listing Certiﬁcates (p. 56)

•Retrieving a Certiﬁcate (p. 56)

•Importing a Certiﬁcate (p. 57)

•Deleting a Certiﬁcate (p. 57)

•Read-Only Access to ACM (p. 57)

•Full Access to ACM (p. 58)

•Administrator Access to All AWS Resources (p. 58)

Listing Certiﬁcates

The following policy allows a user to list all of the ACM Certiﬁcates in the user's account.

{

"Version": "2012-10-17",

"Statement": [{

"Effect": "Allow",

"Action": "acm:ListCertificates",

"Resource": "*"

}]

}

Note

This permission is required for ACM Certiﬁcates to appear in the Elastic Load Balancing and

CloudFront consoles.

Retrieving a Certiﬁcate

The following policy allows a user to retrieve a speciﬁc ACM Certiﬁcate.

Version 1.0

AWS Certiﬁcate Manager User Guide

Importing a Certiﬁcate

{

"Version": "2012-10-17",

"Statement": {

"Effect": "Allow",

"Action": "acm:GetCertificate",

"Resource": "arn:aws:acm:us-

east-1:123456789012:certificate/12345678-1234-1234-1234-123456789012"

}

Importing a Certiﬁcate

The following policy allows a user to import a certiﬁcate.

{

"Version": "2012-10-17",

"Statement": {

"Effect": "Allow",

"Action": "acm:ImportCertificate",

"Resource": "arn:aws:acm:ap-

northeast-1:123456789012:certificate/12345678-1234-1234-1234-123456789012"

}

Deleting a Certiﬁcate

The following policy allows a user to delete a speciﬁc ACM Certiﬁcate.

{

"Version": "2012-10-17",

"Statement": {

"Effect": "Allow",

"Action": "acm:DeleteCertificate",

"Resource": "arn:aws:acm:us-

east-1:123456789012:certificate/12345678-1234-1234-1234-123456789012"

}

Read-Only Access to ACM

The following policy allows a user to describe and list an ACM Certiﬁcate and to retrieve the ACM

Certiﬁcate and certiﬁcate chain.

{

"Version": "2012-10-17",

"Statement": {

"Effect": "Allow",

"Action": [

"acm:DescribeCertificate",

"acm:ListCertificates",

"acm:GetCertificate",

"acm:ListTagsForCertificate"

Version 1.0

AWS Certiﬁcate Manager User Guide

Full Access to ACM

"Resource": "*"

}

Note

This policy is available as an AWS–managed policy in the AWS Management Console. For more

information, see AWSCertiﬁcateManagerReadOnly (p. 55). To view the managed policy in the

console, go to https://console.aws.amazon.com/iam/home#policies/arn:aws:iam::aws:policy/

AWSCertiﬁcateManagerReadOnly.

Full Access to ACM

The following policy allows a user to perform any ACM action.

{

"Version": "2012-10-17",

"Statement": [{

"Effect": "Allow",

"Action": ["acm:*"],

"Resource": "*"

}]

}

Note

This policy is available as an AWS–managed policy in the AWS Management Console. For more

information, see AWSCertiﬁcateManagerFullAccess (p. 55). To view the managed policy in the

console, go to https://console.aws.amazon.com/iam/home#policies/arn:aws:iam::aws:policy/

AWSCertiﬁcateManagerFullAccess.

Administrator Access to All AWS Resources

The following policy allows a user to perform any action on any AWS resource.

{

"Version": "2012-10-17",

"Statement": [{

"Effect": "Allow",

"Action": "*",

"Resource": "*"

}]

}

Note

This policy is available as an AWS–managed policy in the AWS Management Console. To view

the managed policy in the console, go to https://console.aws.amazon.com/iam/home#policies/

arn:aws:iam::aws:policy/AdministratorAccess.

ACM API Permissions: Actions and Resources

Reference

When you are setting up access control (p. 53) and writing permissions policies that you can attach

to an IAM identity (identity-based policies), you can use the following table as a reference. The ﬁrst

Version 1.0

AWS Certiﬁcate Manager User Guide

ACM API Permissions Reference

column in the table lists each ACM API operation. You specify actions in a policy's Action element. The

remaining columns provide the additional information:

You can use the IAM policy elements in your ACM policies to express conditions. For a complete list, see

Available Keys in the IAM User Guide.

Note

To specify an action, use the acm: preﬁx followed by the API operation name (for example,

acm:RequestCertificate).

ACM API Operations and Permissions

ACM API Operations Required Permissions (API

Actions)

Resources

AddTagsToCertiﬁcate acm:AddTagsToCertificate arn:aws:acm:AWS_region:AWS_account_ID:certificate/

certificate_ID

DeleteCertiﬁcate acm:DeleteCertificate arn:aws:acm:AWS_region:AWS_account_ID:certificate/

certificate_ID

DescribeCertiﬁcate acm:DescribeCertificate arn:aws:acm:AWS_region:AWS_account_ID:certificate/

certificate_ID

ExportCertiﬁcate acm:ExportCertificate arn:aws:acm:AWS_region:AWS_account_ID:certificate/

certificate_ID

GetCertiﬁcate acm:GetCertificate arn:aws:acm:AWS_region:AWS_account_ID:certificate/

certificate_ID

ImportCertiﬁcate acm:ImportCertificate arn:aws:acm:AWS_region:AWS_account_ID:certificate/

certificate_ID

ListCertiﬁcates acm:ListCertificates arn:aws:acm:AWS_region:AWS_account_ID:certificate/

certificate_ID

ListTagsForCertiﬁcate acm:ListTagsForCertificate arn:aws:acm:AWS_region:AWS_account_ID:certificate/

certificate_ID

RemoveTagsFromCertiﬁcate acm:RemoveTagsFromCertificatearn:aws:acm:AWS_region:AWS_account_ID:certificate/

certificate_ID

RequestCertiﬁcate acm:RequestCertificate arn:aws:acm:AWS_region:AWS_account_ID:certificate/

certificate_ID

ResendValidationEmail acm:ResendValidationEmail arn:aws:acm:AWS_region:AWS_account_ID:certificate/

certificate_ID

Version 1.0

AWS Certiﬁcate Manager User Guide

Logging ACM API Calls

Using AWS CloudTrail

You can use CloudTrail to record API calls that are made by AWS Certiﬁcate Manager and by services

integrated with ACM as discussed in the following topics.

Topics

•Logging AWS Certiﬁcate Manager API Calls with AWS CloudTrail (p. 60)

•Logging ACM-Related API Calls (p. 69)

Logging AWS Certiﬁcate Manager API Calls with

AWS CloudTrail

ACM is integrated with AWS CloudTrail, a service that provides a record of actions taken by a user, role,

or an AWS service in ACM. CloudTrail captures API calls for ACM as events, including calls from the

ACM console and code calls to the ACM API operations. If you create a trail, you can enable continuous

delivery of CloudTrail events to an Amazon S3 bucket, including events for ACM. If you don't conﬁgure

a trail, you can still view the most recent events in the CloudTrail console in Event history. Using the

information collected by CloudTrail, you can determine the request that was made to ACM, the IP

address from which the request was made, who made the request, when it was made, and additional

details.

To learn more about CloudTrail, including how to conﬁgure and enable it, see the AWS CloudTrail User

Guide.

ACM Information in CloudTrail

CloudTrail is enabled on your AWS account when you create the account. When supported event activity

occurs in ACM, that activity is recorded in a CloudTrail event along with other AWS service events

in Event history. You can view, search, and download recent events in your AWS account. For more

information, see Viewing Events with CloudTrail Event History.

For an ongoing record of events in your AWS account, including events for ACM, create a trail. A trail

enables CloudTrail to deliver log ﬁles to an Amazon S3 bucket. By default, when you create a trail in the

console, the trail applies to all AWS Regions. The trail logs events from all Regions in the AWS partition

and delivers the log ﬁles to the Amazon S3 bucket that you specify. Additionally, you can conﬁgure

other AWS services to further analyze and act upon the event data collected in CloudTrail logs. For more

information, see the following:

•Overview for Creating a Trail

•CloudTrail Supported Services and Integrations

•Conﬁguring Amazon SNS Notiﬁcations for CloudTrail

•Receiving CloudTrail Log Files from Multiple Regions and Receiving CloudTrail Log Files from Multiple

Accounts

ACM Actions Supported in CloudTrail

ACM supports logging the following actions as events in CloudTrail log ﬁles:

•AddTagsToCertiﬁcate

Version 1.0

AWS Certiﬁcate Manager User Guide

Example: ACM Log File Entries

•DeleteCertiﬁcate

•DescribeCertiﬁcate

•ExportCertiﬁcate

•GetCertiﬁcate

•ImportCertiﬁcate

•ListCertiﬁcates

•ListTagsForCertiﬁcate

•RemoveTagsFromCertiﬁcate

•RequestCertiﬁcate

•ResendValidationEmail

Every event or log entry contains information about who generated the request. The identity

information helps you determine the following:

• Whether the request was made with root or AWS Identity and Access Management (IAM) user

credentials.

• Whether the request was made with temporary security credentials for a role or federated user.

• Whether the request was made by another AWS service.

For more information, see the CloudTrail userIdentity Element.

Example: ACM Log File Entries

A trail is a conﬁguration that enables delivery of events as log ﬁles to an Amazon S3 bucket that you

specify. CloudTrail log ﬁles contain one or more log entries. An event represents a single request from

any source and includes information about the requested action, the date and time of the action, request

parameters, and so on. CloudTrail log ﬁles aren't an ordered stack trace of the public API calls, so they

don't appear in any speciﬁc order.

For examples of possible ACM CloudTrail entries, see the following topics.

Topics

•Adding Tags to a Certiﬁcate (p. 61)

•Deleting a Certiﬁcate (p. 62)

•Describing a Certiﬁcate (p. 63)

•Exporting a Certiﬁcate (p. 63)

•Import a Certiﬁcate (p. 64)

•Listing Certiﬁcates (p. 66)

•Listing Tags for a Certiﬁcate (p. 66)

•Removing Tags from a Certiﬁcate (p. 67)

•Requesting a Certiﬁcate (p. 67)

•Resending Validation Email (p. 68)

•Retrieving a Certiﬁcate (p. 69)

Adding Tags to a Certiﬁcate

The following CloudTrail example shows the results of a call to the AddTagsToCertiﬁcate API.

Version 1.0

AWS Certiﬁcate Manager User Guide

Example: ACM Log File Entries

{

Records: [{

eventVersion: "1.04",

userIdentity: {

type: "IAMUser",

principalId: "AIDACKCEVSQ6C2EXAMPLE",

arn: "arn:aws:iam::123456789012:user/Alice",

accountId: "123456789012",

accessKeyId: "AKIAIOSFODNN7EXAMPLE",

userName: "Alice"

eventTime: "2016-04-06T13:53:53Z",

eventSource: "acm.amazonaws.com",

eventName: "AddTagsToCertificate",

awsRegion: "us-east-1",

sourceIPAddress: "192.0.2.0",

userAgent: "aws-cli/1.10.16",

requestParameters: {

tags: [{

value: "Alice",

key: "Admin"

}],

certificateArn: "arn:aws:acm:us-

east-1:123456789012:certificate/12345678-1234-1234-1234-123456789012"

responseElements: null,

requestID: "ffd7dd1b-fbfe-11e5-ba7b-5f4e988901f9",

eventID: "4e7b10bb-7010-4e60-8376-0cac3bc860a5",

eventType: "AwsApiCall",

recipientAccountId: "123456789012"

}]

}

Deleting a Certiﬁcate

The following CloudTrail example shows the results of a call to the DeleteCertiﬁcate API.

{

"Records": [{

"eventVersion": "1.04",

"userIdentity": {

"type": "IAMUser",

"principalId": "AIDACKCEVSQ6C2EXAMPLE",

"arn": "arn:aws:iam::123456789012:user/Alice",

"accountId": "123456789012",

"accessKeyId": "AKIAIOSFODNN7EXAMPLE",

"userName": "Alice"

"eventTime": "2016-03-18T00:00:26Z",

"eventSource": "acm.amazonaws.com",

"eventName": "DeleteCertificate",

"awsRegion": "us-east-1",

"sourceIPAddress": "192.0.2.0",

"userAgent": "aws-cli/1.9.15",

"requestParameters": {

"certificateArn": "arn:aws:acm:us-

east-1:123456789012:certificate/12345678-1234-1234-1234-123456789012"

"responseElements": null,

"requestID": "6b0f5bb9-ec9c-11e5-a28b-51e7e3169e0f",

"eventID": "08f18f8a-a827-4924-b864-afaf98517793",

"eventType": "AwsApiCall",

"recipientAccountId": "123456789012"

Version 1.0

AWS Certiﬁcate Manager User Guide

Example: ACM Log File Entries

}]

}

Describing a Certiﬁcate

The following CloudTrail example shows the results of a call to the DescribeCertiﬁcate API.

Note

The CloudTrail log for the DescribeCertificate action does not display information about

the ACM Certiﬁcate you specify. You can view information about the certiﬁcate by using the

console, the AWS Command Line Interface, or the DescribeCertiﬁcate API.

{

"Records": [{

"eventVersion": "1.04",

"userIdentity": {

"type": "IAMUser",

"principalId": "AIDACKCEVSQ6C2EXAMPLE",

"arn": "arn:aws:iam::123456789012:user/Alice",

"accountId": "123456789012",

"accessKeyId": "AKIAIOSFODNN7EXAMPLE",

"userName": "Alice"

"eventTime": "2016-03-18T00:00:42Z",

"eventSource": "acm.amazonaws.com",

"eventName": "DescribeCertificate",

"awsRegion": "us-east-1",

"sourceIPAddress": "192.0.2.0",

"userAgent": "aws-cli/1.9.15",

"requestParameters": {

"certificateArn": "arn:aws:acm:us-

east-1:123456789012:certificate/12345678-1234-1234-1234-123456789012"

"responseElements": null,

"requestID": "74b91d83-ec9c-11e5-ac34-d1e4dfe1a11b",

"eventID": "7779b6da-75c2-4994-b8c1-af3ad47b518a",

"eventType": "AwsApiCall",

"recipientAccountId": "123456789012"

}]

}

Exporting a Certiﬁcate

The following CloudTrail example shows the results of a call to the ExportCertiﬁcate API.

{

"Records": [{

"version": "0",

"id": "12345678-1234-1234-1234-123456789012"

"detail-type": "AWS API Call via CloudTrail",

"source": "aws.acm",

"account": "123456789012",

"time": "2018-05-24T15:28:11Z",

"region": "us-east-1",

"resources": [],

"detail": {

"eventVersion": "1.04",

"userIdentity": {

"type": "Root",

"principalId": "123456789012",

"arn": "arn:aws:iam::123456789012:user/Alice",

Version 1.0

AWS Certiﬁcate Manager User Guide

Example: ACM Log File Entries

"accountId": "123456789012",

"accessKeyId": "AKIAIOSFODNN7EXAMPLE",

"userName": "Alice"

"eventTime": "2018-05-24T15:28:11Z",

"eventSource": "acm.amazonaws.com",

"eventName": "ExportCertificate",

"awsRegion": "us-east-1",

"sourceIPAddress": "192.0.2.0",

"userAgent": "aws-cli/1.15.4 Python/2.7.9 Windows/8 botocore/1.10.4",

"requestParameters": {

"passphrase": {

"hb": [42,

42,

42],

"offset": 0,

"isReadOnly": false,

"bigEndian": true,

"nativeByteOrder": false,

"mark": -1,

"position": 0,

"limit": 10,

"capacity": 10,

"address": 0

"certificateArn": "arn:aws:acm:us-

east-1:123456789012:certificate/12345678-1234-1234-1234-123456789012"

"responseElements": {

"certificateChain": "-----BEGIN CERTIFICATE----- base64 certificate -----END

CERTIFICATE-----\n"

-----BEGIN CERTIFICATE----- base64 certificate -----END CERTIFICATE-----\n",

"privateKey": "**********",

"certificate": "-----BEGIN CERTIFICATE----- base64 certificate -----END

CERTIFICATE-----\n"

"requestID": "11802113-5f67-11e8-bc6b-d93a70b3bedf",

"eventID": "5b66558e-27c5-43b0-9b3a-10f28c527453",

"eventType": "AwsApiCall"

}

}]

Import a Certiﬁcate

The following example shows the CloudTrail log entry that records a call to the ACM ImportCertiﬁcate

API operation.

{

"eventVersion": "1.04",

"userIdentity": {

"type": "IAMUser",

"principalId": "AIDACKCEVSQ6C2EXAMPLE",

"arn": "arn:aws:iam::111122223333:user/Alice",

"accountId": "111122223333",

"accessKeyId": "AKIAIOSFODNN7EXAMPLE",

"userName": "Alice"

Version 1.0

AWS Certiﬁcate Manager User Guide

Example: ACM Log File Entries

"eventTime": "2016-10-04T16:01:30Z",

"eventSource": "acm.amazonaws.com",

"eventName": "ImportCertificate",

"awsRegion": "ap-southeast-2",

"sourceIPAddress": "54.240.193.129",

"userAgent": "Coral/Netty",

"requestParameters": {

"privateKey": {

"hb": [

byte,

...

"offset": 0,

"isReadOnly": false,

"bigEndian": true,

"nativeByteOrder": false,

"mark": -1,

"position": 0,

"limit": 1674,

"capacity": 1674,

"address": 0

"certificateChain": {

"hb": [

byte,

...

"offset": 0,

"isReadOnly": false,

"bigEndian": true,

"nativeByteOrder": false,

"mark": -1,

"position": 0,

"limit": 2105,

"capacity": 2105,

"address": 0

"certificate": {

"hb": [

byte,

...

"offset": 0,

"isReadOnly": false,

"bigEndian": true,

"nativeByteOrder": false,

"mark": -1,

"position": 0,

"limit": 2503,

"capacity": 2503,

"address": 0

}

"responseElements": {

"certificateArn": "arn:aws:acm:ap-southeast-2:111122223333:certificate/6ae06649-

ea82-4b58-90ee-dc05870d7e99"

"requestID": "cf1f3db7-8a4b-11e6-88c8-196af94bb7be",

"eventID": "fb443118-bfaa-4c90-95c1-beef21e07f8e",

"eventType": "AwsApiCall",

Version 1.0

AWS Certiﬁcate Manager User Guide

Example: ACM Log File Entries

"recipientAccountId": "111122223333"

}

Listing Certiﬁcates

The following CloudTrail example shows the results of a call to the ListCertiﬁcates API.

Note

The CloudTrail log for the ListCertificates action does not display your ACM certiﬁcates.

You can view the certiﬁcate list by using the console, the AWS Command Line Interface, or the

ListCertiﬁcates API.

{

"Records": [{

"eventVersion": "1.04",

"userIdentity": {

"type": "IAMUser",

"principalId": "AIDACKCEVSQ6C2EXAMPLE",

"arn": "arn:aws:iam::123456789012:user/Alice",

"accountId": "123456789012",

"accessKeyId": "AKIAIOSFODNN7EXAMPLE",

"userName": "Alice"

"eventTime": "2016-03-18T00:00:43Z",

"eventSource": "acm.amazonaws.com",

"eventName": "ListCertificates",

"awsRegion": "us-east-1",

"sourceIPAddress": "192.0.2.0",

"userAgent": "aws-cli/1.9.15",

"requestParameters": {

"maxItems": 1000,

"certificateStatuses": ["ISSUED"]

"responseElements": null,

"requestID": "74c99844-ec9c-11e5-ac34-d1e4dfe1a11b",

"eventID": "cdfe1051-88aa-4aa3-8c33-a325270bff21",

"eventType": "AwsApiCall",

"recipientAccountId": "123456789012"

}]

}

Listing Tags for a Certiﬁcate

The following CloudTrail example shows the results of a call to the ListTagsForCertiﬁcate API.

Note

The CloudTrail log for the ListTagsForCertificate action does not display your tags.

You can view the tag list by using the console, the AWS Command Line Interface, or the

ListTagsForCertiﬁcate API.

{

Records: [{

eventVersion: "1.04",

userIdentity: {

type: "IAMUser",

principalId: "AIDACKCEVSQ6C2EXAMPLE",

arn: "arn:aws:iam::123456789012:user/Alice",

accountId: "123456789012",

accessKeyId: "AKIAIOSFODNN7EXAMPLE",

userName: "Alice"

Version 1.0

AWS Certiﬁcate Manager User Guide

Example: ACM Log File Entries

eventTime: "2016-04-06T13:30:11Z",

eventSource: "acm.amazonaws.com",

eventName: "ListTagsForCertificate",

awsRegion: "us-east-1",

sourceIPAddress: "192.0.2.0",

userAgent: "aws-cli/1.10.16",

requestParameters: {

certificateArn: "arn:aws:acm:us-

east-1:123456789012:certificate/12345678-1234-1234-1234-123456789012"

responseElements: null,

requestID: "b010767f-fbfb-11e5-b596-79e9a97a2544",

eventID: "32181be6-a4a0-48d3-8014-c0d972b5163b",

eventType: "AwsApiCall",

recipientAccountId: "123456789012"

}]

}

Removing Tags from a Certiﬁcate

The following CloudTrail example shows the results of a call to the RemoveTagsFromCertiﬁcate API.

{

Records: [{

eventVersion: "1.04",

userIdentity: {

type: "IAMUser",

principalId: "AIDACKCEVSQ6C2EXAMPLE",

arn: "arn:aws:iam::123456789012:user/Alice",

accountId: "123456789012",

accessKeyId: "AKIAIOSFODNN7EXAMPLE",

userName: "Alice"

eventTime: "2016-04-06T14:10:01Z",

eventSource: "acm.amazonaws.com",

eventName: "RemoveTagsFromCertificate",

awsRegion: "us-east-1",

sourceIPAddress: "192.0.2.0",

userAgent: "aws-cli/1.10.16",

requestParameters: {

certificateArn: "arn:aws:acm:us-

east-1:123456789012:certificate/12345678-1234-1234-1234-123456789012",

tags: [{

value: "Bob",

key: "Admin"

}]

responseElements: null,

requestID: "40ded461-fc01-11e5-a747-85804766d6c9",

eventID: "0cfa142e-ef74-4b21-9515-47197780c424",

eventType: "AwsApiCall",

recipientAccountId: "123456789012"

}]

}

Requesting a Certiﬁcate

The following CloudTrail example shows the results of a call to the RequestCertiﬁcate API.

Version 1.0

AWS Certiﬁcate Manager User Guide

Example: ACM Log File Entries

{

"Records": [{

"eventVersion": "1.04",

"userIdentity": {

"type": "IAMUser",

"principalId": "AIDACKCEVSQ6C2EXAMPLE",

"arn": "arn:aws:iam::123456789012:user/Alice",

"accountId": "123456789012",

"accessKeyId": "AKIAIOSFODNN7EXAMPLE",

"userName": "Alice"

"eventTime": "2016-03-18T00:00:49Z",

"eventSource": "acm.amazonaws.com",

"eventName": "RequestCertificate",

"awsRegion": "us-east-1",

"sourceIPAddress": "192.0.2.0",

"userAgent": "aws-cli/1.9.15",

"requestParameters": {

"subjectAlternativeNames": ["example.net"],

"domainName": "example.com",

"domainValidationOptions": [{

"domainName": "example.com",

"validationDomain": "example.com"

{

"domainName": "example.net",

"validationDomain": "example.net"

}],

"idempotencyToken": "8186023d89681c3ad5"

"responseElements": {

"certificateArn": "arn:aws:acm:us-

east-1:123456789012:certificate/12345678-1234-1234-1234-123456789012"

"requestID": "77dacef3-ec9c-11e5-ac34-d1e4dfe1a11b",

"eventID": "a4954cdb-8f38-44c7-8927-a38ad4be3ac8",

"eventType": "AwsApiCall",

"recipientAccountId": "123456789012"

}]

}

Resending Validation Email

The following CloudTrail example shows the results of a call to the ResendValidationEmail API.

{

"Records": [{

"eventVersion": "1.04",

"userIdentity": {

"type": "IAMUser",

"principalId": "AIDACKCEVSQ6C2EXAMPLE",

"arn": "arn:aws:iam::123456789012:user/Alice",

"accountId": "123456789012",

"accessKeyId": "AKIAIOSFODNN7EXAMPLE",

"userName": "Alice"

"eventTime": "2016-03-17T23:58:25Z",

"eventSource": "acm.amazonaws.com",

"eventName": "ResendValidationEmail",

"awsRegion": "us-east-1",

"sourceIPAddress": "192.0.2.0",

"userAgent": "aws-cli/1.9.15",

"requestParameters": {

Version 1.0

AWS Certiﬁcate Manager User Guide

Logging ACM-Related API Calls

"domain": "example.com",

"certificateArn": "arn:aws:acm:us-

east-1:123456789012:certificate/12345678-1234-1234-1234-123456789012",

"validationDomain": "example.com"

"responseElements": null,

"requestID": "23760b88-ec9c-11e5-b6f4-cb861a6f0a28",

"eventID": "41c11b06-ca91-4c1c-8c61-af349ea8bab8",

"eventType": "AwsApiCall",

"recipientAccountId": "123456789012"

}]

}

Retrieving a Certiﬁcate

The following CloudTrail example shows the results of a call to the GetCertiﬁcate API.

{

"Records": [{

"eventVersion": "1.04",

"userIdentity": {

"type": "IAMUser",

"principalId": "AIDACKCEVSQ6C2EXAMPLE",

"arn": "arn:aws:iam::123456789012:user/Alice",

"accountId": "123456789012",

"accessKeyId": "AKIAIOSFODNN7EXAMPLE",

"userName": "Alice"

"eventTime": "2016-03-18T00:00:41Z",

"eventSource": "acm.amazonaws.com",

"eventName": "GetCertificate",

"awsRegion": "us-east-1",

"sourceIPAddress": "192.0.2.0",

"userAgent": "aws-cli/1.9.15",

"requestParameters": {

"certificateArn": "arn:aws:acm:us-

east-1:123456789012:certificate/12345678-1234-1234-1234-123456789012"

"responseElements": {

"certificateChain":

"-----BEGIN CERTIFICATE-----

Base64-encoded certificate chain

-----END CERTIFICATE-----",

"certificate":

"-----BEGIN CERTIFICATE-----

Base64-encoded certificate

-----END CERTIFICATE-----"

"requestID": "744dd891-ec9c-11e5-ac34-d1e4dfe1a11b",

"eventID": "7aa4f909-00dd-478a-9a00-b2709bcad2bb",

"eventType": "AwsApiCall",

"recipientAccountId": "123456789012"

}]

}

Logging ACM-Related API Calls

You can use CloudTrail to audit API calls made by services that are integrated with ACM. For more

information about using CloudTrail, see the AWS CloudTrail User Guide. The following examples show

Version 1.0

AWS Certiﬁcate Manager User Guide

Creating a Load Balancer

the types of logs that can be generated depending on the AWS resources on which you provision the

ACM Certiﬁcate.

Topics

•Creating a Load Balancer (p. 70)

•Registering an Amazon EC2 Instance with a Load Balancer (p. 70)

•Encrypting a Private Key (p. 71)

•Decrypting a Private Key (p. 72)

Creating a Load Balancer

The following example shows a call to the CreateLoadBalancer function by an IAM user named

Alice. The name of the load balancer is TestLinuxDefault, and the listener is created using an ACM

Certiﬁcate.

{

"eventVersion": "1.03",

"userIdentity": {

"type": "IAMUser",

"principalId": "AIDACKCEVSQ6C2EXAMPLE",

"arn": "arn:aws:iam::111122223333:user/Alice",

"accountId": "111122223333",

"accessKeyId": "AKIAIOSFODNN7EXAMPLE",

"userName": "Alice"

"eventTime": "2016-01-01T21:10:36Z",

"eventSource": "elasticloadbalancing.amazonaws.com",

"eventName": "CreateLoadBalancer",

"awsRegion": "us-east-1",

"sourceIPAddress": "192.0.2.0/24",

"userAgent": "aws-cli/1.9.15",

"requestParameters": {

"availabilityZones": ["us-east-1b"],

"loadBalancerName": "LinuxTest",

"listeners": [{

"sSLCertificateId": "arn:aws:acm:us-

east-1:111122223333:certificate/12345678-1234-1234-1234-123456789012",

"protocol": "HTTPS",

"loadBalancerPort": 443,

"instanceProtocol": "HTTP",

"instancePort": 80

}]

"responseElements": {

"dNSName": "LinuxTest-1234567890.us-east-1.elb.amazonaws.com"

"requestID": "19669c3b-b0cc-11e5-85b2-57397210a2e5",

"eventID": "5d6c00c9-a9b8-46ef-9f3b-4589f5be63f7",

"eventType": "AwsApiCall",

"recipientAccountId": "111122223333"

}

Registering an Amazon EC2 Instance with a Load

Balancer

When you provision your website or application on an Amazon Elastic Compute Cloud (Amazon EC2)

instance, the load balancer must be made aware of that instance. This can be accomplished through the

Version 1.0

AWS Certiﬁcate Manager User Guide

Encrypting a Private Key

Elastic Load Balancing console or the AWS Command Line Interface. The following example shows a call

to RegisterInstancesWithLoadBalancer for a load balancer named LinuxTest on AWS account

123456789012.

{

"eventVersion": "1.03",

"userIdentity": {

"type": "IAMUser",

"principalId": "AIDACKCEVSQ6C2EXAMPLE",

"arn": "arn:aws:iam::123456789012:user/ALice",

"accountId": "123456789012",

"accessKeyId": "AKIAIOSFODNN7EXAMPLE",

"userName": "Alice",

"sessionContext": {

"attributes": {

"mfaAuthenticated": "false",

"creationDate": "2016-01-01T19:35:52Z"

}

"invokedBy": "signin.amazonaws.com"

"eventTime": "2016-01-01T21:11:45Z",

"eventSource": "elasticloadbalancing.amazonaws.com",

"eventName": "RegisterInstancesWithLoadBalancer",

"awsRegion": "us-east-1",

"sourceIPAddress": "192.0.2.0/24",

"userAgent": "signin.amazonaws.com",

"requestParameters": {

"loadBalancerName": "LinuxTest",

"instances": [{

"instanceId": "i-c67f4e78"

}]

"responseElements": {

"instances": [{

"instanceId": "i-c67f4e78"

}]

"requestID": "438b07dc-b0cc-11e5-8afb-cda7ba020551",

"eventID": "9f284ca6-cbe5-42a1-8251-4f0e6b5739d6",

"eventType": "AwsApiCall",

"recipientAccountId": "123456789012"

}

Encrypting a Private Key

The following example shows an Encrypt call that encrypts the private key associated with an ACM

Certiﬁcate. Encryption is performed within AWS.

{

"Records": [

{

"eventVersion": "1.03",

"userIdentity": {

"type": "IAMUser",

"principalId": "AIDACKCEVSQ6C2EXAMPLE",

"arn": "arn:aws:iam::111122223333:user/acm",

"accountId": "111122223333",

"accessKeyId": "AKIAIOSFODNN7EXAMPLE",

"userName": "acm"

Version 1.0

AWS Certiﬁcate Manager User Guide

Decrypting a Private Key

"eventTime": "2016-01-05T18:36:29Z",

"eventSource": "kms.amazonaws.com",

"eventName": "Encrypt",

"awsRegion": "us-east-1",

"sourceIPAddress": "AWS Internal",

"userAgent": "aws-internal",

"requestParameters": {

"keyId": "arn:aws:kms:us-east-1:123456789012:alias/aws/acm",

"encryptionContext": {

"aws:acm:arn": "arn:aws:acm:us-

east-1:123456789012:certificate/12345678-1234-1234-1234-123456789012"

}

"responseElements": null,

"requestID": "3c417351-b3db-11e5-9a24-7d9457362fcc",

"eventID": "1794fe70-796a-45f5-811b-6584948f24ac",

"readOnly": true,

"resources": [{

"ARN": "arn:aws:kms:us-

east-1:123456789012:key/87654321-4321-4321-4321-210987654321",

"accountId": "123456789012"

}],

"eventType": "AwsServiceEvent",

"recipientAccountId": "123456789012"

}]

}

Decrypting a Private Key

The following example shows a Decrypt call that decrypts the private key associated with an ACM

Certiﬁcate. Decryption is performed within AWS, and the decrypted key never leaves AWS.

{

"eventVersion": "1.03",

"userIdentity": {

"type": "AssumedRole",

"principalId": "AIDACKCEVSQ6C2EXAMPLE:1aba0dc8b3a728d6998c234a99178eff",

"arn": "arn:aws:sts::111122223333:assumed-role/

DecryptACMCertificate/1aba0dc8b3a728d6998c234a99178eff",

"accountId": "111122223333",

"accessKeyId": "AKIAIOSFODNN7EXAMPLE",

"sessionContext": {

"attributes": {

"mfaAuthenticated": "false",

"creationDate": "2016-01-01T21:13:28Z"

"sessionIssuer": {

"type": "Role",

"principalId": "APKAEIBAERJR2EXAMPLE",

"arn": "arn:aws:iam::111122223333:role/DecryptACMCertificate",

"accountId": "111122223333",

"userName": "DecryptACMCertificate"

}

"eventTime": "2016-01-01T21:13:28Z",

"eventSource": "kms.amazonaws.com",

"eventName": "Decrypt",

"awsRegion": "us-east-1",

"sourceIPAddress": "AWS Internal",

"userAgent": "aws-internal/3",

Version 1.0

AWS Certiﬁcate Manager User Guide

Decrypting a Private Key

"requestParameters": {

"encryptionContext": {

"aws:elasticloadbalancing:arn": "arn:aws:elasticloadbalancing:us-

east-1:123456789012:loadbalancer/LinuxTest",

"aws:acm:arn": "arn:aws:acm:us-

east-1:123456789012:certificate/87654321-4321-4321-4321-210987654321"

}

"responseElements": null,

"requestID": "809a70ff-b0cc-11e5-8f42-c7fdf1cb6e6a",

"eventID": "7f89f7a7-baff-4802-8a88-851488607fb9",

"readOnly": true,

"resources": [{

"ARN": "arn:aws:kms:us-

east-1:123456789012:key/12345678-1234-1234-1234-123456789012",

"accountId": "123456789012"

}],

"eventType": "AwsServiceEvent",

"recipientAccountId": "123456789012"

}

Version 1.0

AWS Certiﬁcate Manager User Guide

AddTagsToCertiﬁcate

Using the ACM API

You can use the AWS Certiﬁcate Manager API to interact with the service programmatically by sending

HTTP requests. For more information, see the AWS Certiﬁcate Manager API Reference.

In addition to the web API (or HTTP API), you can use the AWS SDKs and command line tools to interact

with ACM and other services. For more information, see Tools for Amazon Web Services.

The following topics show you how to use one of the AWS SDKs, the AWS SDK for Java, to perform some

of the available operations in the AWS Certiﬁcate Manager API.

Topics

•Adding Tags to a Certiﬁcate (p. 74)

•Deleting a Certiﬁcate (p. 76)

•Describing a Certiﬁcate (p. 77)

•Exporting a Certiﬁcate (p. 79)

•Retrieve a Certiﬁcate and Certiﬁcate Chain (p. 81)

•Importing a Certiﬁcate (p. 83)

•Listing Certiﬁcates (p. 85)

•Listing Certiﬁcate Tags (p. 86)

•Removing Tags to a Certiﬁcate (p. 88)

•Requesting a Certiﬁcate (p. 89)

•Resending Validation Email (p. 91)

Adding Tags to a Certiﬁcate

The following example shows how to use the AddTagsToCertiﬁcate function.

package com.amazonaws.samples;

import com.amazonaws.services.certificatemanager.AWSCertificateManagerClientBuilder;

import com.amazonaws.services.certificatemanager.AWSCertificateManager;

import com.amazonaws.services.certificatemanager.model.AddTagsToCertificateRequest;

import com.amazonaws.services.certificatemanager.model.AddTagsToCertificateResult;

import com.amazonaws.services.certificatemanager.model.Tag;

import com.amazonaws.services.certificatemanager.model.InvalidArnException;

import com.amazonaws.services.certificatemanager.model.InvalidTagException;

import com.amazonaws.services.certificatemanager.model.ResourceNotFoundException;

import com.amazonaws.services.certificatemanager.model.TooManyTagsException;

import com.amazonaws.AmazonClientException;

import com.amazonaws.auth.AWSCredentials;

import com.amazonaws.auth.profile.ProfileCredentialsProvider;

import com.amazonaws.auth.AWSStaticCredentialsProvider;

import com.amazonaws.regions.Regions;

import java.util.ArrayList;

/**

Version 1.0

AWS Certiﬁcate Manager User Guide

AddTagsToCertiﬁcate

* This sample demonstrates how to use the AddTagsToCertificate function in the AWS

Certificate

* Manager service.

* Input parameters:

* CertificateArn - The ARN of the certificate to which to add one or more tags.

* Tags - An array of Tag objects to add.

public class AWSCertificateManagerExample {

public static void main(String[] args) throws Exception {

// Retrieve your credentials from the C:\Users\name\.aws\credentials file in Windows

// or the ~/.aws/credentials file in Linux.

AWSCredentials credentials = null;

try {

credentials = new ProfileCredentialsProvider().getCredentials();

}

catch (Exception ex) {

throw new AmazonClientException("Cannot load your credentials from file.", ex);

}

// Create a client.

AWSCertificateManager client = AWSCertificateManagerClientBuilder.standard()

.withRegion(Regions.US_EAST_1)

.withCredentials(new AWSStaticCredentialsProvider(credentials))

.build();

// Create tags.

Tag tag1 = new Tag();

tag1.setKey("Short_Name");

tag1.setValue("My_Cert");

Tag tag2 = new Tag()

.withKey("Purpose")

.withValue("Test");

// Add the tags to a collection.

ArrayList<Tag> tags = new ArrayList<Tag>();

tags.add(tag1);

tags.add(tag2);

// Create a request object and specify the ARN of the certificate.

AddTagsToCertificateRequest req = new AddTagsToCertificateRequest();

req.setCertificateArn("arn:aws:acm:region:account:certificate/

12345678-1234-1234-1234-123456789012");

req.setTags(tags);

// Add tags to the specified certificate.

AddTagsToCertificateResult result = null;

try {

result = client.addTagsToCertificate(req);

}

catch(InvalidArnException ex)

{

throw ex;

}

catch(InvalidTagException ex)

{

throw ex;

}

catch(ResourceNotFoundException ex)

{

Version 1.0

AWS Certiﬁcate Manager User Guide

DeleteCertiﬁcate

throw ex;

}

catch(TooManyTagsException ex)

{

throw ex;

}

// Display the result.

System.out.println(result);

}

Deleting a Certiﬁcate

The following example shows how to use the DeleteCertiﬁcate function. If succesful, the function returns

an empty set {}.

package com.amazonaws.samples;

import com.amazonaws.services.certificatemanager.AWSCertificateManagerClientBuilder;

import com.amazonaws.services.certificatemanager.AWSCertificateManager;

import com.amazonaws.services.certificatemanager.model.DeleteCertificateRequest;

import com.amazonaws.services.certificatemanager.model.DeleteCertificateResult;

import com.amazonaws.auth.profile.ProfileCredentialsProvider;

import com.amazonaws.auth.AWSStaticCredentialsProvider;

import com.amazonaws.auth.AWSCredentials;

import com.amazonaws.regions.Regions;

import com.amazonaws.services.certificatemanager.model.InvalidArnException;

import com.amazonaws.services.certificatemanager.model.ResourceInUseException;

import com.amazonaws.services.certificatemanager.model.ResourceNotFoundException;

import com.amazonaws.AmazonClientException;

/**

* This sample demonstrates how to use the DeleteCertificate function in the AWS

Certificate

* Manager service.

* Input parameter:

* CertificateArn - The ARN of the certificate to delete.

public class AWSCertificateManagerExample {

public static void main(String[] args) throws Exception{

// Retrieve your credentials from the C:\Users\name\.aws\credentials file in Windows

// or the ~/.aws/credentials file in Linux.

AWSCredentials credentials = null;

try {

credentials = new ProfileCredentialsProvider().getCredentials();

}

catch (Exception ex) {

throw new AmazonClientException("Cannot load the credentials from file.", ex);

}

// Create a client.

AWSCertificateManager client = AWSCertificateManagerClientBuilder.standard()

.withRegion(Regions.US_EAST_1)

Version 1.0

AWS Certiﬁcate Manager User Guide

DescribeCertiﬁcate

.withCredentials(new AWSStaticCredentialsProvider(credentials))

.build();

// Create a request object and specify the ARN of the certificate to delete.

DeleteCertificateRequest req = new DeleteCertificateRequest();

req.setCertificateArn("arn:aws:acm:region:account:certificate/

12345678-1234-1234-1234-123456789012");

// Delete the specified certificate.

DeleteCertificateResult result = null;

try {

result = client.deleteCertificate(req);

}

catch (InvalidArnException ex)

{

throw ex;

}

catch (ResourceInUseException ex)

{

throw ex;

}

catch (ResourceNotFoundException ex)

{

throw ex;

}

// Display the result.

System.out.println(result);

}

Describing a Certiﬁcate

The following example shows how to use the DescribeCertiﬁcate function.

package com.amazonaws.samples;

import com.amazonaws.services.certificatemanager.AWSCertificateManagerClientBuilder;

import com.amazonaws.services.certificatemanager.AWSCertificateManager;

import com.amazonaws.services.certificatemanager.model.DescribeCertificateRequest;

import com.amazonaws.services.certificatemanager.model.DescribeCertificateResult;

import com.amazonaws.auth.profile.ProfileCredentialsProvider;

import com.amazonaws.auth.AWSStaticCredentialsProvider;

import com.amazonaws.auth.AWSCredentials;

import com.amazonaws.regions.Regions;

import com.amazonaws.services.certificatemanager.model.InvalidArnException;

import com.amazonaws.services.certificatemanager.model.ResourceNotFoundException;

import com.amazonaws.AmazonClientException;

/**

* This sample demonstrates how to use the DescribeCertificate function in the AWS

Certificate

* Manager service.

* Input parameter:

* CertificateArn - The ARN of the certificate to be described.

Version 1.0

AWS Certiﬁcate Manager User Guide

DescribeCertiﬁcate

* Output parameter:

* Certificate information

public class AWSCertificateManagerExample {

public static void main(String[] args) throws Exception{

// Retrieve your credentials from the C:\Users\name\.aws\credentials file in Windows

// or the ~/.aws/credentials file in Linux.

AWSCredentials credentials = null;

try {

credentials = new ProfileCredentialsProvider().getCredentials();

}

catch (Exception ex) {

throw new AmazonClientException("Cannot load the credentials from file.", ex);

}

// Create a client.

AWSCertificateManager client = AWSCertificateManagerClientBuilder.standard()

.withRegion(Regions.US_EAST_1)

.withCredentials(new AWSStaticCredentialsProvider(credentials))

.build();

// Create a request object and set the ARN of the certificate to be described.

DescribeCertificateRequest req = new DescribeCertificateRequest();

req.setCertificateArn("arn:aws:acm:region:account:certificate/

12345678-1234-1234-1234-123456789012");

DescribeCertificateResult result = null;

try{

result = client.describeCertificate(req);

}

catch (InvalidArnException ex)

{

throw ex;

}

catch (ResourceNotFoundException ex)

{

throw ex;

}

// Display the certificate information.

System.out.println(result);

}

If successful, the preceding example displays information similar to the following.

{

Certificate: {

CertificateArn:

arn:aws:acm:region:account:certificate/12345678-1234-1234-1234-123456789012,

DomainName: www.example.com,

SubjectAlternativeNames: [www.example.com],

DomainValidationOptions: [{

DomainName: www.example.com,

}],

Serial: 10: 0a,

Subject: C=US,

Version 1.0

AWS Certiﬁcate Manager User Guide

ExportCertiﬁcate

ST=WA,

L=Seattle,

O=ExampleCompany,

OU=sales,

CN=www.example.com,

Issuer: ExampleCompany,

ImportedAt: FriOct0608: 17: 39PDT2017,

Status: ISSUED,

NotBefore: ThuOct0510: 14: 32PDT2017,

NotAfter: SunOct0310: 14: 32PDT2027,

KeyAlgorithm: RSA-2048,

SignatureAlgorithm: SHA256WITHRSA,

InUseBy: [],

Type: IMPORTED,

}

Exporting a Certiﬁcate

The following example shows how to use the ExportCertiﬁcate function. The function exports a private

certiﬁcate issued by a private certiﬁcate authority (CA) in the PKCS #8 format. It also exports the

certiﬁcate chain and private key. In the example, the passphrase for the key is stored in a local ﬁle.

package com.amazonaws.samples;

import com.amazonaws.AmazonClientException;

import com.amazonaws.auth.profile.ProfileCredentialsProvider;

import com.amazonaws.auth.AWSStaticCredentialsProvider;

import com.amazonaws.auth.AWSCredentials;

import com.amazonaws.regions.Regions;

import com.amazonaws.services.certificatemanager.AWSCertificateManagerClientBuilder;

import com.amazonaws.services.certificatemanager.AWSCertificateManager;

import com.amazonaws.services.certificatemanager.model.ExportCertificateRequest;

import com.amazonaws.services.certificatemanager.model.ExportCertificateResult;

import com.amazonaws.services.certificatemanager.model.InvalidArnException;

import com.amazonaws.services.certificatemanager.model.InvalidTagException;

import com.amazonaws.services.certificatemanager.model.ResourceNotFoundException;

import java.io.FileNotFoundException;

import java.io.IOException;

import java.io.RandomAccessFile;

import java.nio.ByteBuffer;

import java.nio.channels.FileChannel;

public class ExportCertificate {

public static void main(String[] args) throws Exception {

// Retrieve your credentials from the C:\Users\name\.aws\credentials file in Windows

// or the ~/.aws/credentials in Linux.

AWSCredentials credentials = null;

try {

credentials = new ProfileCredentialsProvider().getCredentials();

}

catch (Exception ex) {

throw new AmazonClientException("Cannot load your credentials from file.", ex);

}

Version 1.0

AWS Certiﬁcate Manager User Guide

ExportCertiﬁcate

// Create a client.

AWSCertificateManager client = AWSCertificateManagerClientBuilder.standard()

.withRegion(Regions.your_region)

.withCredentials(new AWSStaticCredentialsProvider(credentials))

.build();

// Initialize a file descriptor for the passphrase file.

RandomAccessFile file_passphrase = null;

// Initialize a buffer for the passphrase.

ByteBuffer buf_passphrase = null;

// Create a file stream for reading the private key passphrase.

try {

file_passphrase = new RandomAccessFile("C:\\Temp\\password.txt", "r");

}

catch (IllegalArgumentException ex) {

throw ex;

}

catch (SecurityException ex) {

throw ex;

}

catch (FileNotFoundException ex) {

throw ex;

}

// Create a channel to map the file.

FileChannel channel_passphrase = file_passphrase.getChannel();

// Map the file to the buffer.

try {

buf_passphrase = channel_passphrase.map(FileChannel.MapMode.READ_ONLY, 0,

channel_passphrase.size());

// Clean up after the file is mapped.

channel_passphrase.close();

file_passphrase.close();

}

catch (IOException ex)

{

throw ex;

}

// Create a request object.

ExportCertificateRequest req = new ExportCertificateRequest();

// Set the certificate ARN.

req.withCertificateArn("arn:aws:acm:region:account:"

+"certificate/M12345678-1234-1234-1234-123456789012");

// Set the passphrase.

req.withPassphrase(buf_passphrase);

// Export the certificate.

ExportCertificateResult result = null;

try {

result = client.exportCertificate(req);

}

catch(InvalidArnException ex)

{

throw ex;

}

catch (InvalidTagException ex)

{

Version 1.0

AWS Certiﬁcate Manager User Guide

GetCertiﬁcate

throw ex;

}

catch (ResourceNotFoundException ex)

{

throw ex;

}

// Clear the buffer.

buf_passphrase.clear();

// Display the certificate and certificate chain.

String certificate = result.getCertificate();

System.out.println(certificate);

String certificate_chain = result.getCertificateChain();

System.out.println(certificate_chain);

// This example retrieves but does not display the private key.

String private_key = result.getPrivateKey();

}

Retrieve a Certiﬁcate and Certiﬁcate Chain

The following example shows how to use the GetCertiﬁcate function.

package com.amazonaws.samples;

import com.amazonaws.regions.Regions;

import com.amazonaws.services.certificatemanager.AWSCertificateManagerClientBuilder;

import com.amazonaws.services.certificatemanager.AWSCertificateManager;

import com.amazonaws.services.certificatemanager.model.GetCertificateRequest;

import com.amazonaws.services.certificatemanager.model.GetCertificateResult;

import com.amazonaws.auth.profile.ProfileCredentialsProvider;

import com.amazonaws.auth.AWSStaticCredentialsProvider;

import com.amazonaws.auth.AWSCredentials;

import com.amazonaws.services.certificatemanager.model.InvalidArnException;

import com.amazonaws.services.certificatemanager.model.ResourceNotFoundException;

import com.amazonaws.services.certificatemanager.model.RequestInProgressException;

import com.amazonaws.AmazonClientException;

/**

* This sample demonstrates how to use the GetCertificate function in the AWS Certificate

* Manager service.

* Input parameter:

* CertificateArn - The ARN of the certificate to retrieve.

* Output parameters:

* Certificate - A base64-encoded certificate in PEM format.

* CertificateChain - The base64-encoded certificate chain in PEM format.

public class AWSCertificateManagerExample {

public static void main(String[] args) throws Exception{

// Retrieve your credentials from the C:\Users\name\.aws\credentials file in Windows

Version 1.0

AWS Certiﬁcate Manager User Guide

GetCertiﬁcate

// or the ~/.aws/credentials file in Linux.

AWSCredentials credentials = null;

try {

credentials = new ProfileCredentialsProvider().getCredentials();

}

catch (Exception ex) {

throw new AmazonClientException("Cannot load the credentials from the credential

profiles file.", ex);

}

// Create a client.

AWSCertificateManager client = AWSCertificateManagerClientBuilder.standard()

.withRegion(Regions.US_EAST_1)

.withCredentials(new AWSStaticCredentialsProvider(credentials))

.build();

// Create a request object and set the ARN of the certificate to be described.

GetCertificateRequest req = new GetCertificateRequest();

req.setCertificateArn("arn:aws:acm:region:account:certificate/

12345678-1234-1234-1234-123456789012");

// Retrieve the certificate and certificate chain.

// If you recently requested the certificate, loop until it has been created.

GetCertificateResult result = null;

long totalTimeout = 120000l;

long timeSlept = 0l;

long sleepInterval = 10000l;

while (result == null && timeSlept < totalTimeout) {

try {

result = client.getCertificate(req);

}

catch (RequestInProgressException ex) {

Thread.sleep(sleepInterval);

}

catch (ResourceNotFoundException ex)

{

throw ex;

}

catch (InvalidArnException ex)

{

throw ex;

}

timeSlept += sleepInterval;

}

// Display the certificate information.

System.out.println(result);

}

The preceding example creates output similar to the following.

{Certificate: -----BEGIN CERTIFICATE-----

base64-encoded certificate

-----END CERTIFICATE-----,

CertificateChain: -----BEGIN CERTIFICATE-----

base64-encoded certificate chain

-----END CERTIFICATE-----

}

Version 1.0

AWS Certiﬁcate Manager User Guide

ImportCertiﬁcate

Importing a Certiﬁcate

The following example shows how to use the ImportCertiﬁcate function.

package com.amazonaws.samples;

import com.amazonaws.services.certificatemanager.AWSCertificateManagerClientBuilder;

import com.amazonaws.services.certificatemanager.AWSCertificateManager;

import com.amazonaws.auth.profile.ProfileCredentialsProvider;

import com.amazonaws.auth.AWSStaticCredentialsProvider;

import com.amazonaws.auth.AWSCredentials;

import com.amazonaws.regions.Regions;

import com.amazonaws.services.certificatemanager.model.ImportCertificateRequest;

import com.amazonaws.services.certificatemanager.model.ImportCertificateResult;

import com.amazonaws.services.certificatemanager.model.LimitExceededException;

import com.amazonaws.services.certificatemanager.model.ResourceNotFoundException;

import com.amazonaws.AmazonClientException;

import java.io.FileNotFoundException;

import java.io.IOException;

import java.io.RandomAccessFile;

import java.nio.ByteBuffer;

import java.nio.channels.FileChannel;

/**

* This sample demonstrates how to use the ImportCertificate function in the AWS

Certificate Manager

* service.

* Input parameters:

* Certificate - PEM file that contains the certificate to import.

* CertificateArn - Use to reimport a certificate (not included in this example).

* CertificateChain - The certificate chain, not including the end-entity certificate.

* PrivateKey - The private key that matches the public key in the certificate.

* Output parameter:

* CertificcateArn - The ARN of the imported certificate.

public class AWSCertificateManagerSample {

public static void main(String[] args) throws Exception {

// Retrieve your credentials from the C:\Users\name\.aws\credentials file in Windows

// or the ~/.aws/credentials file in Linux.

AWSCredentials credentials = null;

try {

credentials = new ProfileCredentialsProvider().getCredentials();

}

catch (Exception ex) {

throw new AmazonClientException(

"Cannot load the credentials from file.", ex);

}

// Create a client.

AWSCertificateManager client = AWSCertificateManagerClientBuilder.standard()

.withRegion(Regions.US_EAST_1)

.withCredentials(new AWSStaticCredentialsProvider(credentials))

.build();

// Initialize the file descriptors.

Version 1.0

AWS Certiﬁcate Manager User Guide

ImportCertiﬁcate

RandomAccessFile file_certificate = null;

RandomAccessFile file_chain = null;

RandomAccessFile file_key = null;

// Initialize the buffers.

ByteBuffer buf_certificate = null;

ByteBuffer buf_chain = null;

ByteBuffer buf_key = null;

// Create the file streams for reading.

try {

file_certificate = new RandomAccessFile("C:\\Temp\\certificate.pem", "r");

file_chain = new RandomAccessFile("C:\\Temp\\chain.pem", "r");

file_key = new RandomAccessFile("C:\\Temp\\private_key.pem", "r");

}

catch (IllegalArgumentException ex) {

throw ex;

}

catch (SecurityException ex) {

throw ex;

}

catch (FileNotFoundException ex) {

throw ex;

}

// Create channels for mapping the files.

FileChannel channel_certificate = file_certificate.getChannel();

FileChannel channel_chain = file_chain.getChannel();

FileChannel channel_key = file_key.getChannel();

// Map the files to buffers.

try {

buf_certificate = channel_certificate.map(FileChannel.MapMode.READ_ONLY, 0,

channel_certificate.size());

buf_chain = channel_chain.map(FileChannel.MapMode.READ_ONLY, 0,

channel_chain.size());

buf_key = channel_key.map(FileChannel.MapMode.READ_ONLY, 0, channel_key.size());

// The files have been mapped, so clean up.

channel_certificate.close();

channel_chain.close();

channel_key.close();

file_certificate.close();

file_chain.close();

file_key.close();

}

catch (IOException ex)

{

throw ex;

}

// Create a request object and set the parameters.

ImportCertificateRequest req = new ImportCertificateRequest();

req.setCertificate(buf_certificate);

req.setCertificateChain(buf_chain);

req.setPrivateKey(buf_key);

// Import the certificate.

ImportCertificateResult result = null;

try {

result = client.importCertificate(req);

}

catch(LimitExceededException ex)

{

throw ex;

}

Version 1.0

AWS Certiﬁcate Manager User Guide

ListCertiﬁcates

catch (ResourceNotFoundException ex)

{

throw ex;

}

// Clear the buffers.

buf_certificate.clear();

buf_chain.clear();

buf_key.clear();

// Retrieve and display the certificate ARN.

String arn = result.getCertificateArn();

System.out.println(arn);

}

Listing Certiﬁcates

The following example shows how to use the ListCertiﬁcates function.

package com.amazonaws.samples;

import com.amazonaws.services.certificatemanager.AWSCertificateManagerClientBuilder;

import com.amazonaws.services.certificatemanager.AWSCertificateManager;

import com.amazonaws.services.certificatemanager.model.ListCertificatesRequest;

import com.amazonaws.services.certificatemanager.model.ListCertificatesResult;

import com.amazonaws.auth.profile.ProfileCredentialsProvider;

import com.amazonaws.auth.AWSStaticCredentialsProvider;

import com.amazonaws.auth.AWSCredentials;

import com.amazonaws.regions.Regions;

import com.amazonaws.AmazonClientException;

import java.util.Arrays;

import java.util.List;

/**

* This sample demonstrates how to use the ListCertificates function in the AWS Certificate

* Manager service.

* Input parameters:

* CertificateStatuses - An array of strings that contains the statuses to use for

filtering.

* MaxItems - The maximum number of certificates to return in the response.

* NextToken - Use when paginating results.

* Output parameters:

* CertificateSummaryList - A list of certificates.

* NextToken - Use to show additional results when paginating a truncated list.

public class AWSCertificateManagerExample {

public static void main(String[] args) throws Exception{

// Retrieve your credentials from the C:\Users\name\.aws\credentials file in Windows

// or the ~/.aws/credentials file in Linux.

AWSCredentials credentials = null;

try {

Version 1.0

AWS Certiﬁcate Manager User Guide

ListTagsForCertiﬁcate

credentials = new ProfileCredentialsProvider().getCredentials();

}

catch (Exception ex) {

throw new AmazonClientException("Cannot load the credentials from file.", ex);

}

// Create a client.

AWSCertificateManager client = AWSCertificateManagerClientBuilder.standard()

.withRegion(Regions.US_EAST_1)

.withCredentials(new AWSStaticCredentialsProvider(credentials))

.build();

// Create a request object and set the parameters.

ListCertificatesRequest req = new ListCertificatesRequest();

List<String> Statuses = Arrays.asList("ISSUED", "EXPIRED", "PENDING_VALIDATION",

"FAILED");

req.setCertificateStatuses(Statuses);

req.setMaxItems(10);

// Retrieve the list of certificates.

ListCertificatesResult result = null;

try {

result = client.listCertificates(req);

}

catch (Exception ex)

{

throw ex;

}

// Display the certificate list.

System.out.println(result);

}

The preceding sample creates output similar to the following.

{

CertificateSummaryList: [{

CertificateArn:

arn:aws:acm:region:account:certificate/12345678-1234-1234-1234-123456789012,

DomainName: www.example1.com

{

CertificateArn:

arn:aws:acm:region:account:certificate/12345678-1234-1234-1234-123456789012,

DomainName: www.example2.com

{

CertificateArn:

arn:aws:acm:region:account:certificate/12345678-1234-1234-1234-123456789012,

DomainName: www.example3.com

}]

}

Listing Certiﬁcate Tags

The following example shows how to use the ListTagsForCertiﬁcate function.

Version 1.0

AWS Certiﬁcate Manager User Guide

ListTagsForCertiﬁcate

package com.amazonaws.samples;

import com.amazonaws.services.certificatemanager.AWSCertificateManagerClientBuilder;

import com.amazonaws.services.certificatemanager.AWSCertificateManager;

import com.amazonaws.services.certificatemanager.model.ListTagsForCertificateRequest;

import com.amazonaws.services.certificatemanager.model.ListTagsForCertificateResult;

import com.amazonaws.services.certificatemanager.model.InvalidArnException;

import com.amazonaws.services.certificatemanager.model.ResourceNotFoundException;

import com.amazonaws.AmazonClientException;

import com.amazonaws.auth.AWSCredentials;

import com.amazonaws.auth.profile.ProfileCredentialsProvider;

import com.amazonaws.auth.AWSStaticCredentialsProvider;

import com.amazonaws.regions.Regions;

/**

* This sample demonstrates how to use the ListTagsForCertificate function in the AWS

Certificate

* Manager service.

* Input parameter:

* CertificateArn - The ARN of the certificate whose tags you want to list.

public class AWSCertificateManagerExample {

public static void main(String[] args) throws Exception{

// Retrieve your credentials from the C:\Users\name\.aws\credentials file in Windows

// or the ~/.aws/credentials file in Linux.

AWSCredentials credentials = null;

try {

credentials = new ProfileCredentialsProvider().getCredentials();

}

catch (Exception ex) {

throw new AmazonClientException("Cannot load your credentials from file.", ex);

}

// Create a client.

AWSCertificateManager client = AWSCertificateManagerClientBuilder.standard()

.withRegion(Regions.US_EAST_1)

.withCredentials(new AWSStaticCredentialsProvider(credentials))

.build();

// Create a request object and specify the ARN of the certificate.

ListTagsForCertificateRequest req = new ListTagsForCertificateRequest();

req.setCertificateArn("arn:aws:acm:region:account:certificate/

12345678-1234-1234-1234-123456789012");

// Create a result object.

ListTagsForCertificateResult result = null;

try {

result = client.listTagsForCertificate(req);

}

catch(InvalidArnException ex) {

throw ex;

}

catch(ResourceNotFoundException ex) {

throw ex;

}

// Display the result.

Version 1.0

AWS Certiﬁcate Manager User Guide

RemoveTagsFromCertiﬁcate

System.out.println(result);

}

The preceding sample creates output similar to the following.

{Tags: [{Key: Purpose,Value: Test}, {Key: Short_Name,Value: My_Cert}]}

Removing Tags to a Certiﬁcate

The following example shows how to use the RemoveTagsFromCertiﬁcate function.

package com.amazonaws.samples;

import com.amazonaws.services.certificatemanager.AWSCertificateManagerClientBuilder;

import com.amazonaws.services.certificatemanager.AWSCertificateManager;

import com.amazonaws.services.certificatemanager.model.RemoveTagsFromCertificateRequest;

import com.amazonaws.services.certificatemanager.model.RemoveTagsFromCertificateResult;

import com.amazonaws.services.certificatemanager.model.Tag;

import com.amazonaws.services.certificatemanager.model.InvalidArnException;

import com.amazonaws.services.certificatemanager.model.InvalidTagException;

import com.amazonaws.services.certificatemanager.model.ResourceNotFoundException;

import com.amazonaws.AmazonClientException;

import com.amazonaws.auth.profile.ProfileCredentialsProvider;

import com.amazonaws.auth.AWSStaticCredentialsProvider;

import com.amazonaws.auth.AWSCredentials;

import com.amazonaws.regions.Regions;

import java.util.ArrayList;

/**

* This sample demonstrates how to use the RemoveTagsFromCertificate function in the AWS

Certificate

* Manager service.

* Input parameters:

* CertificateArn - The ARN of the certificate from which you want to remove one or more

tags.

* Tags - A collection of key-value pairs that specify which tags to remove.

public class AWSCertificateManagerExample {

public static void main(String[] args) throws Exception {

// Retrieve your credentials from the C:\Users\name\.aws\credentials file in Windows

// or the ~/.aws/credentials file in Linux.

AWSCredentials credentials = null;

try {

credentials = new ProfileCredentialsProvider().getCredentials();

}

catch (Exception ex) {

throw new AmazonClientException("Cannot load your credentials from file.", ex);

}

Version 1.0

AWS Certiﬁcate Manager User Guide

RequestCertiﬁcate

// Create a client.

AWSCertificateManager client = AWSCertificateManagerClientBuilder.standard()

.withRegion(Regions.US_EAST_1)

.withCredentials(new AWSStaticCredentialsProvider(credentials))

.build();

// Specify the tags to remove.

Tag tag1 = new Tag();

tag1.setKey("Short_Name");

tag1.setValue("My_Cert");

Tag tag2 = new Tag()

.withKey("Purpose")

.withValue("Test");

// Add the tags to a collection.

ArrayList<Tag> tags = new ArrayList<Tag>();

tags.add(tag1);

tags.add(tag2);

// Create a request object.

RemoveTagsFromCertificateRequest req = new RemoveTagsFromCertificateRequest();

req.setCertificateArn("arn:aws:acm:region:account:certificate/

12345678-1234-1234-1234-123456789012");

req.setTags(tags);

// Create a result object.

RemoveTagsFromCertificateResult result = null;

try {

result = client.removeTagsFromCertificate(req);

}

catch(InvalidArnException ex)

{

throw ex;

}

catch(InvalidTagException ex)

{

throw ex;

}

catch(ResourceNotFoundException ex)

{

throw ex;

}

// Display the result.

System.out.println(result);

}

Requesting a Certiﬁcate

The following example shows how to use the RequestCertiﬁcate function.

package com.amazonaws.samples;

import com.amazonaws.services.certificatemanager.AWSCertificateManagerClientBuilder;

import com.amazonaws.services.certificatemanager.AWSCertificateManager;

import com.amazonaws.services.certificatemanager.model.RequestCertificateRequest;

import com.amazonaws.services.certificatemanager.model.RequestCertificateResult;

Version 1.0

AWS Certiﬁcate Manager User Guide

RequestCertiﬁcate

import

com.amazonaws.services.certificatemanager.model.InvalidDomainValidationOptionsException;

import com.amazonaws.services.certificatemanager.model.LimitExceededException;

import com.amazonaws.AmazonClientException;

import com.amazonaws.auth.profile.ProfileCredentialsProvider;

import com.amazonaws.auth.AWSStaticCredentialsProvider;

import com.amazonaws.auth.AWSCredentials;

import com.amazonaws.regions.Regions;

import java.util.ArrayList;

/**

* This sample demonstrates how to use the RequestCertificate function in the AWS

Certificate

* Manager service.

* Input parameters:

* DomainName - FQDN of your site.

* DomainValidationOptions - Domain name for email validation.

* IdempotencyToken - Distinguishes between calls to RequestCertificate.

* SubjectAlternativeNames - Additional FQDNs for the subject alternative names

extension.

* Output parameter:

* Certificate ARN - The Amazon Resource Name (ARN) of the certificate you requested.

public class AWSCertificateManagerExample {

public static void main(String[] args) {

// Retrieve your credentials from the C:\Users\name\.aws\credentials file in Windows

// or the ~/.aws/credentials file in Linux.

AWSCredentials credentials = null;

try {

credentials = new ProfileCredentialsProvider().getCredentials();

}

catch (Exception ex) {

throw new AmazonClientException("Cannot load your credentials from file.", ex);

}

// Create a client.

AWSCertificateManager client = AWSCertificateManagerClientBuilder.standard()

.withRegion(Regions.US_EAST_1)

.withCredentials(new AWSStaticCredentialsProvider(credentials))

.build();

// Specify a SAN.

ArrayList<String> san = new ArrayList<String>();

san.add("www.example.com");

// Create a request object and set the input parameters.

RequestCertificateRequest req = new RequestCertificateRequest();

req.setDomainName("example.com");

req.setIdempotencyToken("1Aq25pTy");

req.setSubjectAlternativeNames(san);

// Create a result object and display the certificate ARN.

RequestCertificateResult result = null;

try {

result = client.requestCertificate(req);

}

catch(InvalidDomainValidationOptionsException ex)

{

Version 1.0

AWS Certiﬁcate Manager User Guide

ResendValidationEmail

throw ex;

}

catch(LimitExceededException ex)

{

throw ex;

}

// Display the ARN.

System.out.println(result);

}

The preceding sample creates output similar to the following.

{CertificateArn:

arn:aws:acm:region:account:certificate/12345678-1234-1234-1234-123456789012}

Resending Validation Email

The following example shows you how to use the ResendValidationEmail function.

package com.amazonaws.samples;

import com.amazonaws.services.certificatemanager.AWSCertificateManagerClientBuilder;

import com.amazonaws.services.certificatemanager.AWSCertificateManager;

import com.amazonaws.services.certificatemanager.model.ResendValidationEmailRequest;

import com.amazonaws.services.certificatemanager.model.ResendValidationEmailResult;

import

com.amazonaws.services.certificatemanager.model.InvalidDomainValidationOptionsException;

import com.amazonaws.services.certificatemanager.model.ResourceNotFoundException;

import com.amazonaws.services.certificatemanager.model.InvalidStateException;

import com.amazonaws.services.certificatemanager.model.InvalidArnException;

import com.amazonaws.AmazonClientException;

import com.amazonaws.auth.profile.ProfileCredentialsProvider;

import com.amazonaws.auth.AWSStaticCredentialsProvider;

import com.amazonaws.auth.AWSCredentials;

import com.amazonaws.regions.Regions;

/**

* This sample demonstrates how to use the ResendValidationEmail function in the AWS

Certificate

* Manager service.

* Input parameters:

* CertificateArn - Amazon Resource Name (ARN) of the certificate request.

* Domain - FQDN in the certificate request.

* ValidationDomain - The base validation domain that is used to send email.

public class AWSCertificateManagerExample {

public static void main(String[] args) {

// Retrieve your credentials from the C:\Users\name\.aws\credentials file in Windows

Version 1.0

AWS Certiﬁcate Manager User Guide

ResendValidationEmail

// or the ~/.aws/credentials file in Linux.

AWSCredentials credentials = null;

try {

credentials = new ProfileCredentialsProvider().getCredentials();

}

catch (Exception ex) {

throw new AmazonClientException("Cannot load your credentials from file.", ex);

}

// Create a client.

AWSCertificateManager client = AWSCertificateManagerClientBuilder.standard()

.withRegion(Regions.US_EAST_1)

.withCredentials(new AWSStaticCredentialsProvider(credentials))

.build();

// Create a request object and set the input parameters.

ResendValidationEmailRequest req = new ResendValidationEmailRequest();

req.setCertificateArn("arn:aws:acm:region:account:certificate/

12345678-1234-1234-1234-123456789012");

req.setDomain("gregpe.io");

req.setValidationDomain("gregpe.io");

// Create a result object.

ResendValidationEmailResult result = null;

try {

result = client.resendValidationEmail(req);

}

catch(ResourceNotFoundException ex)

{

throw ex;

}

catch (InvalidStateException ex)

{

throw ex;

}

catch (InvalidArnException ex)

{

throw ex;

}

catch (InvalidDomainValidationOptionsException ex)

{

throw ex;

}

// Display the result.

System.out.println(result.toString());

}

The preceding sample resends your validation email and displays an empty set.

{}

Version 1.0

AWS Certiﬁcate Manager User Guide

ACM Private Key Security

When you request a public certiﬁcate (p. 20), AWS Certiﬁcate Manager (ACM) generates a public/private

key pair. For imported certiﬁcates (p. 44), you generate the key pair. The public key becomes part of the

certiﬁcate. ACM stores the certiﬁcate and its corresponding private key, and uses AWS Key Management

Service (AWS KMS) to help protect the private key. The process works like this:

1. The ﬁrst time you request or import a certiﬁcate in an AWS region, ACM creates an AWS-managed

customer master key (CMK) in AWS KMS with the alias aws/acm. This CMK is unique in each AWS

account and each AWS region.

2. ACM uses this CMK to encrypt the certiﬁcate's private key. ACM stores only an encrypted version of the

private key (ACM does not store the private key in plaintext form). ACM uses the same CMK to encrypt

the private keys for all certiﬁcates in a speciﬁc AWS account and a speciﬁc AWS region.

3. When you associate the certiﬁcate with a service that is integrated with AWS Certiﬁcate Manager, ACM

sends the certiﬁcate and the encrypted private key to the service. You also implicitly create a grant in

AWS KMS that allows the service to use the CMK in AWS KMS to decrypt the certiﬁcate's private key.

For more information about grants, see Using Grants in the AWS Key Management Service Developer

Guide. For more information about services supported by ACM, see Services Integrated with AWS

Certiﬁcate Manager (p. 9).

4. Integrated services use the CMK in AWS KMS to decrypt the private key. Then the service uses the

certiﬁcate and the decrypted (plaintext) private key to establish secure communication channels (SSL/

TLS sessions) with its clients.

5. When the certiﬁcate is disassociated from an integrated service, the grant created in step 3 is retired.

This means the service can no longer use the CMK in AWS KMS to decrypt the certiﬁcate's private key.

Version 1.0

AWS Certiﬁcate Manager User Guide

CAA Records

Troubleshooting

Consult the following topics if you encounter problems using AWS Certiﬁcate Manager.

Topics

•Troubleshoot Certiﬁcation Authority Authorization (CAA) Problems (p. 94)

•Troubleshoot Email Problems (p. 94)

•Troubleshoot Certiﬁcate Importing Problems (p. 97)

•Troubleshoot Certiﬁcate Pinning Problems (p. 97)

•Troubleshoot Certiﬁcate Request Problems (p. 98)

•Troubleshoot Managed Certiﬁcate Renewal Problems (p. 99)

•Troubleshoot Certiﬁcate Validation Problems (p. 100)

•Troubleshoot .IO Domain Problems (p. 101)

•Troubleshoot API Gateway Problems (p. 101)

Troubleshoot Certiﬁcation Authority Authorization

(CAA) Problems

You can use CAA DNS records to specify that the Amazon certiﬁcate authority (CA) can issue ACM

Certiﬁcates for your domain or subdomain. If you receive an error during certiﬁcate issuance that says

One or more domain names have failed validation due to a Certiﬁcation Authority Authentication

(CAA) error, check your CAA DNS records. If you receive this error after your ACM Certiﬁcate request has

been successfully validated, you must update your CAA records and request a certiﬁcate again. The value

ﬁeld in at least one of your CAA records must contain one the following domain names:

• amazon.com

• amazontrust.com

• awstrust.com

• amazonaws.com

If you do not want ACM to perform CAA checking, do not conﬁgure a CAA record for your domain

or leave your CAA records blank. For more information about creating a CAA record, see (Optional)

Conﬁgure a CAA Record (p. 18).

Troubleshoot Email Problems

Consult the following topics if you have trouble with validation email.

Topics

•Not Receiving Validation Email (p. 95)

•Email Sent to Subdomain (p. 96)

•Hidden Contact Information (p. 96)

Version 1.0

AWS Certiﬁcate Manager User Guide

Not Receiving Validation Email

•Certiﬁcate Renewals (p. 97)

•WHOIS Throttling (p. 97)

Not Receiving Validation Email

When you request a certiﬁcate from ACM and choose email validation, domain validation email is sent

to three contact addresses speciﬁed in WHOIS and to ﬁve common administrative addresses. For more

information, see Use Email to Validate Domain Ownership (p. 28). If you are experiencing problems

receiving validation email, review the suggestions that follow.

Where to look for email

Validation email is sent to contact addresses listed in WHOIS and to common administrative

addresses for the domain. Email is not sent to the AWS account owner unless the owner is also listed

as a domain contact in WHOIS. Review the list of email addresses that are displayed in the ACM

console (or returned from the CLI or API) to determine where you should be looking for validation

email. To see the list, click the icon next to the domain name in the box labeled Validation not

complete.

The email is marked as spam

Check your spam folder for the validation email.

GMail automatically sorts your email

If you are using GMail, the validation email may have been automatically sorted into the Updates or

Promotions tabs.

The domain registrar does not display contact information or privacy protection is enabled

In some cases, the domain registrant, technical, and administrative contacts in WHOIS may not

be publicly available, and AWS therefore cannot reach these contacts. At your discretion, you can

choose to conﬁgure your registrar to list your email address in WHOIS, although not all registrars

support this option. You may be required to make a change directly at your domain's registry. In

other cases, the domain contact information may be using a privacy address, such as those provided

through WhoisGuard or PrivacyGuard.

For domains purchased from Route53, privacy protection is enabled by default and your email

address is mapped to a whoisprivacyservice.org or contact.gandi.net email address.

Ensure that your registrant email address on ﬁle with your domain registrar is up to date so that the

email sent to these obscured email addresses can be forwarded to an email address that you control.

Note

Privacy protection for some domains that your purchase with Route53 will be enabled even

if you choose to make your contact information public. For example, privacy protection

for the .ca top level domain cannot be programmatically disabled by Route53. You must

contact the AWS Support Center and request that privacy protection be disabled.

If email contact information for your domain is not available through WHOIS, or if email sent

to the contact information does not reach the domain owner or an authorized representative,

we recommend that you conﬁgure your domain or subdomain to receive email sent to one or

more of the common administrative addresses formed by prepending admin@, administrator@,

hostmaster@, webmaster@, and postmaster@ to the requested domain name. For more information

about conﬁguring email for your domain, see the documentation for your email service provider

and follow the instructions at (Optional) Conﬁgure Email for Your Domain (p. 17). If you are using

Amazon WorkMail, see Working with Users in the Amazon WorkMail Administrator Guide.

After making available at least one of the eight email addresses to which AWS sends validation email

and conﬁrming that you can receive email for that address, you are ready to request a certiﬁcate

Version 1.0

AWS Certiﬁcate Manager User Guide

Email Sent to Subdomain

through ACM. After you make a certiﬁcate request, ensure the intended email address appears in

the list of email addresses in the AWS Management Console. While the certiﬁcate is in the Pending

validation state, you can expand the list to view it by clicking the icon next to the domain name in

the box labeled Validation not complete. You can also view the list in Step 3: Validate of the ACM

Request a Certiﬁcate wizard. The listed email addresses are the ones to which email was sent.

Missing or incorrectly conﬁgured MX records

An MX record is a resource record in the Domain Name System (DNS) database that speciﬁes one

or more mail servers that accept email messages for your domain. If your MX record is missing or

misconﬁgured, email can not be sent to any of the ﬁve common system administration addresses

speciﬁed at Use Email to Validate Domain Ownership (p. 28). Fix your missing or misconﬁgured MX

record and try to resend the email or request your certiﬁcate again.

Note

Currently, we recommend that you wait at least one hour before attempting to resend the

email or requesting your certiﬁcate.

Note

To bypass requiring an MX record, you can use the ValidationDomain option in the

RequestCertiﬁcate API or the request-certiﬁcate AWS CLI command to specify the domain

name to which ACM sends validation emails. If you use the API or the AWS CLI, AWS does

not perform an MX lookup.

Contact the Support Center

If, after reviewing the preceding guidance, you still don't receive the domain validation email, please

visit the AWS Support Center and create a case. If you don't have a support agreement, post a

message to the ACM Discussion Forum.

Email Sent to Subdomain

If you are using the console and request a certiﬁcate for a subdomain name such

as sub.test.example.com, then ACM checks to see if there is an MX record for

sub.test.example.com. If not, then the parent domain test.example.com is checked, and

so on, up to the base domain example.com. If an MX record is found, the search stops and a

validation email is sent to the common administration addresses for the subdomain. So for example,

if an MX record is found for test.example.com, email is sent to admin@test.example.com,

administrator@test.example.com, and the other administrative addresses speciﬁed in Use Email to

Validate Domain Ownership (p. 28). If an MX record is not found in any of the subdomains, email is sent

to the subdomain that you originally requested the certiﬁcate for. For a thorough discussion of how to

setup your email and how ACM works with DNS and the WHOIS database, see (Optional) Conﬁgure Email

for Your Domain (p. 17).

Instead of using the console, you can use the ValidationDomain option in the RequestCertiﬁcate API

or the request-certiﬁcate AWS CLI command to specify the domain name to which ACM sends validation

emails. If you use the API or the AWS CLI, AWS does not perform an MX lookup.

Hidden Contact Information

A common problem occurs when you attempt to create a new certiﬁcate. Some registrars allow you

to hide your contact information in your WHOIS listing. Others allow you to substitute your real email

address with a privacy (or proxy) address. This prevents you from receiving validation email at your

registered contact addresses.

To receive mail, ensure that your contact information is public in WHOIS, or if your WHOIS listing shows

a privacy email address, ensure that email sent to the privacy address is forwarded to your real email

address. After your WHOIS setup is complete and as long as your certiﬁcate request has not timed

Version 1.0

AWS Certiﬁcate Manager User Guide

Certiﬁcate Renewals

out, you can choose to resend the validation email. ACM performs a new WHOIS/MX lookup and sends

validation email to your now public contact address.

Certiﬁcate Renewals

If you made your WHOIS information public when you requested a new certiﬁcate and then later

obfuscated your information, ACM cannot retrieve your registered contact addresses when you attempt

to renew your certiﬁcate. ACM sends validation email to these contact addresses and to ﬁve common

administrative addresses formed by using your MX record. To address this problem, make your WHOIS

information public again and resend the validation emails. ACM performs a new WHOIS/MX lookup and

sends validation email to your now public contact addresses.

WHOIS Throttling

Sometimes ACM is unable to contact the WHOIS server even after you have sent multiple requests for

validation email. This problem is external to AWS. That is, AWS does not control the WHOIS servers

and cannot prevent WHOIS server throttling. If you experience this problem, create a case at the AWS

Support Center for help with a workaround.

Troubleshoot Certiﬁcate Importing Problems

You can import third party certiﬁcates into ACM and associate them with integrated services. If you

encounter problems, review the prerequisites and certiﬁcate format topics. In particular, note the

following:

• You can import only X.509 version 3 SSL/TLS certiﬁcates.

• Your certiﬁcate can be self–signed or it can be signed by a certiﬁcate authority (CA).

• If your certiﬁcate is signed by a CA, you must include a certiﬁcate chain that chains up to the root of

authority.

• Do not include your certiﬁcate in the certiﬁcate chain.

• Each certiﬁcate in the chain must directly certify the one preceding.

• Your certiﬁcate, private key, and certiﬁcate chain must be PEM–encoded.

• Your private key must not be encrypted.

• Services integrated with ACM allow only algorithms and key sizes they support to be associated

with their resources. Support can change. See the documentation for each service to make sure your

certiﬁcate will work.

• Certiﬁcate support by integrated services might diﬀer depending on whether the certiﬁcate is

imported into IAM or into ACM.

• The certiﬁcate must be valid when it is imported.

• Detail information for all of your certiﬁcates is displayed in the console. By default, however, if you

call the ListCertiﬁcates API or the list-certiﬁcates AWS CLI command without specifying the keyTypes

ﬁlter, only RSA_1024 or RSA_2048 certiﬁcates are displayed.

Troubleshoot Certiﬁcate Pinning Problems

To renew a certiﬁcate, ACM generates a new public-private key pair. If your application uses Certiﬁcate

Pinning (p. 12), sometimes known as SSL pinning, to pin an ACM Certiﬁcate, the application might not

be able to connect to your domain after AWS renews the certiﬁcate. For this reason, we recommend that

you don't pin an ACM Certiﬁcate. If your application must pin a certiﬁcate, you can do the following:

Version 1.0

AWS Certiﬁcate Manager User Guide

Certiﬁcate Requests

•Import your own certiﬁcate into ACM (p. 44) and then pin your application to the imported certiﬁcate.

ACM doesn't provide managed renewal for imported certiﬁcates.

• Pin your application to an Amazon root certiﬁcate.

Troubleshoot Certiﬁcate Request Problems

Consult the following topics if you have trouble requesting an ACM Certiﬁcate.

Topics

•Certiﬁcate Request Timed Out (p. 98)

•Certiﬁcate Request Failed (p. 98)

Certiﬁcate Request Timed Out

Requests for ACM Certiﬁcates time out if they are not validated within 72 hours. To correct this

condition, delete your request and choose Request a certiﬁcate to begin again. You can use DNS

validation or email validation to assert that you own or control the domains listed in your request. We

recommend that you use DNS. For more information see, Use DNS to Validate Domain Ownership (p. 25).

Certiﬁcate Request Failed

A request for an ACM Certiﬁcate can fail. If that happens, the following explanations can help you

understand why the request failed and suggest steps you can take to ﬁx the problem.

Failure Reasons

•No Available Contacts (p. 98)

•Domain Not Allowed (p. 99)

•Additional Veriﬁcation Required (p. 99)

•Invalid Public Domain (p. 99)

•Other (p. 99)

No Available Contacts

You chose email validation when requesting a certiﬁcate, but ACM could not ﬁnd an email address to use

for validating one or more of the domain names in the request. To correct this problem, you can do one

of the following:

• Ensure that you have a working email address that is registered in WHOIS and that the address is

visible when performing a standard WHOIS lookup for the domain names in the certiﬁcate request.

Typically, you do this through your domain registrar.

• Ensure your domain is conﬁgured to receive email. Your domain's name server must have a mail

exchanger record (MX record) so ACM's email servers know where to send the domain validation

email (p. 28).

Accomplishing one of the preceding tasks is enough to correct this problem; you don't need to do both.

After you correct the problem, request a new certiﬁcate. You cannot resubmit a failed certiﬁcate request.

For more information about how to ensure that you receive domain validation emails from ACM, see

(Optional) Conﬁgure Email for Your Domain (p. 17) or Not Receiving Validation Email (p. 95). If you

Version 1.0

AWS Certiﬁcate Manager User Guide

Certiﬁcate Renewal

follow these steps and continue to get the No Available Contacts message, then report this to AWS so

that we can investigate it.

Domain Not Allowed

ACM did not allow you to request a certiﬁcate for one or more of the domain names you speciﬁed.

Typically, this is because one or more of the domain names in the certiﬁcate request was found in

the Google Safe Browsing list of unsafe websites or the PhishTank list of valid phishes. To correct this

problem, you can do the following:

• Search for your domain name at the Google Safe Browsing Site Status website. If your domain is

considered unsafe, see Google Help for Hacked Websites to learn what you can do. If you think your

domain is safe, see Request a review to request a review from Google.

• Search for your domain name on the PhishTank home page. If your domain is considered a phish, see

Google Help for Hacked Websites or StopBadware Webmaster Help to learn what you can do. If you

think your domain is safe, see the PhishTank FAQ for information about how to report a false positive.

After you correct the problem, request a new certiﬁcate. You cannot resubmit a failed certiﬁcate request.

Additional Veriﬁcation Required

ACM requires additional information to process this certiﬁcate request. To provide this information, use

the Support Center to contact AWS Support. If you don't have a support plan, post a new thread in the

AWS Certiﬁcate Manager discussion forum.

Note

You cannot request a certiﬁcate for Amazon-owned domain names such as those ending in

amazonaws.com, cloudfront.net, or elasticbeanstalk.com.

Invalid Public Domain

One or more of the domain names in the certiﬁcate request is not valid. Typically, this is because a

domain name in the request is not a valid top-level domain. Try to request a certiﬁcate again, correcting

any spelling errors or typos that were in the failed request, and ensuring that all domain names in

the request are for valid top-level domains. For example, you cannot request an ACM Certiﬁcate for

example.invalidpublicdomain because "invalidpublicdomain" is not a valid top-level domain. If you

continue to receive this failure reason, contact the Support Center. If you don't have a support plan, post

a new thread in the AWS Certiﬁcate Manager discussion forum.

Other

Typically, this failure occurs when there is a typographical error in one or more of the domain names in

the certiﬁcate request. Try to request a certiﬁcate again, correcting any spelling errors or typos that were

in the failed request. If you continue to receive this failure reason, use the Support Center to contact

AWS Support. If you don't have a support plan, post a new thread in the AWS Certiﬁcate Manager

discussion forum.

Troubleshoot Managed Certiﬁcate Renewal

Problems

ACM tries to automatically renew your ACM Certiﬁcates before they expire so that no action is required

from you. Consult the following topics if you have trouble with Managed Renewal for ACM's Amazon-

Issued Certiﬁcates (p. 38).

Version 1.0

AWS Certiﬁcate Manager User Guide

Automatic Domain Validation

Topics

•Automatic Domain Validation (p. 100)

•Asynchronous Process (p. 100)

Automatic Domain Validation

Before ACM can renew your certiﬁcates automatically, the following must be true:

• ACM must be able to establish an HTTPS connection with each domain in the certiﬁcate.

• For each connection, the certiﬁcate that is returned must match the one that ACM is renewing.

• Your certiﬁcate must be associated with an AWS service that is integrated with ACM.

• ACM must be able to validate each domain name listed in your certiﬁcate.

To increase the likelihood that ACM can renew your certiﬁcate automatically, do the following:

Use the certiﬁcate with an AWS resource

Make sure that your certiﬁcate is in use with a supported AWS resource. For information about the

resources that ACM supports, see Services Integrated with AWS Certiﬁcate Manager (p. 9).

Conﬁgure the resource to accept HTTPS requests from the Internet

Make sure that the AWS resource that has your ACM Certiﬁcate is conﬁgured to accept HTTPS

requests from the internet.

Conﬁgure DNS to route your domain name to the resource that hosts your ACM Certiﬁcate

Make sure that HTTPS requests to the domain names in your certiﬁcate are routed to the resource

that has your certiﬁcate.

Asynchronous Process

Managed Renewal for ACM's Amazon-Issued Certiﬁcates (p. 38) is an asynchronous process. This means

that the steps don't occur in immediate succession. After all domain names in an ACM Certiﬁcate have

been validated, there might be a delay before ACM obtains the new certiﬁcate. An additional delay can

occur between the time when ACM obtains the renewed certiﬁcate and the time when that certiﬁcate

is deployed to the AWS resources that use it. Therefore, changes to the certiﬁcate status can take up to

several hours to appear in the console.

Troubleshoot Certiﬁcate Validation Problems

Consult the following topic if your validation appears to be stuck in a pending state.

Validation Not Complete

If the ACM Certiﬁcate request status is Pending validation, the request is waiting for action from you.

If you chose email validation when you made the request, you or an authorized representative must

respond to the validation email messages. These messages were sent to the registered WHOIS contact

addresses and other common email addresses for the requested domain. For more information, see Use

Email to Validate Domain Ownership (p. 28). If you chose DNS validation, you must write the CNAME

record that ACM created for you to your DNS database. For more information, see Use DNS to Validate

Domain Ownership (p. 25).

Version 1.0

100

AWS Certiﬁcate Manager User Guide

.IO Domains

Important

You must validate that you own or control every domain name that you included in your

certiﬁcate request. If you chose email validation, you will receive validation email messages for

each domain. If you do not, then see Not Receiving Validation Email (p. 95). If you chose DNS

validation, you must create one CNAME record for each domain.

We recommend that you use DNS validation rather than email validation.

Troubleshoot .IO Domain Problems

The .IO domain is assigned to the British Indian Ocean Territory. Currently, the domain registry does

not display your public information from the WHOIS database. This is true whether you have privacy

protection for the domain enabled or disabled. When a WHOIS lookup is performed, only obfuscated

registrar information is returned. Therefore, ACM is unable to send validation email to the following

three registered contact addresses that are usually available in WHOIS.

• Domain registrant

• Technical contact

• Administrative contact

ACM does, however, send validation email to the following ﬁve common system addresses where

your_domain is the domain name you entered when you initially requested a certiﬁcate and .io is the

top level domain.

• administrator@your_domain.io

• hostmaster@your_domain.io

• postmaster@your_domain.io

• webmaster@your_domain.io

• admin@your_domain.io

To receive validation mail for an .IO domain, make sure that you have one of the preceding ﬁve email

accounts enabled. If you do not, you will not receive validation email and you will not be issued an ACM

certiﬁcate.

Note

We recommend that you use DNS validation rather than email validation. For more information,

see Use DNS to Validate Domain Ownership (p. 25).

Troubleshoot API Gateway Problems

When you deploy an edge-optimized API endpoint, API Gateway sets up a CloudFront distribution for you.

The CloudFront distribution is owned by API Gateway, not by your account. The distribution is bound

to the ACM Certiﬁcate that you used when deploying your API. To remove the binding and allow ACM

to delete your certiﬁcate, you must remove the API Gateway custom domain that is associated with the

certiﬁcate.

When you deploy a regional API endpoint, API Gateway creates an application load balancer (ALB) on

your behalf. The load balancer is owned by API Gateway and is not visible to you. The ALB is bound to

the ACM Certiﬁcate that you used when deploying your API. To remove the binding and allow ACM to

delete your certiﬁcate, you must remove the API Gateway custom domain that is associated with the

certiﬁcate.

Version 1.0

101

AWS Certiﬁcate Manager User Guide

Document History

The following table describes the documentation release history of AWS Certiﬁcate Manager beginning

in 2018.

update-history-change update-history-description update-history-date

New content (p. 102) Added ability to publish

ACM public certiﬁcates into

Certiﬁcate Transparency logs by

default.

April 24, 2018

New service exention (p. 102) Launched ACM Private

Certiﬁcate Manager (CM),

and extension of AWS

Certiﬁcate Manager that allows

users to establish a secure

managed infrastructure for

issuing and revoking private

digital certiﬁcates. For more

information, see AWS Private

Certiﬁcate Authority.

April 4, 2018

New content (p. 102) Added certiﬁcate transparency

logging to Best Practices.

March 27, 2018

The following table describes the documentation release history of AWS Certiﬁcate Manager prior to

2018.

Change Description Release Date

New content Added DNS validation to

Use DNS to Validate Domain

Ownership (p. 25).

November 21, 2017

New content Added new Java code examples

to Using the ACM API (p. 74).

October 12, 2017

New content Added information about CAA

records to (Optional) Conﬁgure a

CAA Record (p. 18).

September 21, 2017

New content Added information

about .IO domains to

Troubleshooting (p. 94).

July 07, 2017

New content Added information about

reimporting a certiﬁcate to

Reimport a Certiﬁcate (p. 47).

July 07, 2017

New content Added information about

certiﬁcate pinning to Best

Practices (p. 11) and to

Troubleshooting (p. 94).

July 07, 2017

Version 1.0

102

AWS Certiﬁcate Manager User Guide

Change Description Release Date

New content Added AWS CloudFormation to

Services Integrated with AWS

Certiﬁcate Manager (p. 9).

May 27, 2017

Update Added more information to

Limits (p. 10).

May 27, 2017

New content Added documentation about

Authentication and Access

Control (p. 52).

April 28, 2017

Update Added a graphic to show where

validation email is sent. See

Use Email to Validate Domain

Ownership (p. 28).

April 21, 2017

Update Added information about setting

up email for your domain. See

(Optional) Conﬁgure Email for

Your Domain (p. 17).

April 6, 2017

Update Added information about

checking certiﬁcate renewal

status in the console. See

Check a Certiﬁcate's Renewal

Status (p. 40).

March 28, 2017

Update Updated the documentation for

using Elastic Load Balancing.

March 21, 2017

New content Added support for AWS

Elastic Beanstalk and Amazon

API Gateway. See Services

Integrated with AWS Certiﬁcate

Manager (p. 9).

March 21, 2017

Update Updated the documentation

about Managed Renewal (p. 38).

February 20, 2017

New content Added documentation about

Importing Certiﬁcates (p. 44).

October 13, 2016

New content Added AWS CloudTrail

support for ACM actions.

See Logging AWS Certiﬁcate

Manager API Calls with AWS

CloudTrail (p. 60).

March 25, 2016

New guide This release introduces AWS

Certiﬁcate Manager.

January 21, 2016

Version 1.0

103

AWS Certificate Manager User Guide 2018 Acm Ug

Navigation menu

Versions of this User Manual:

Views

Navigation