TLS Certificates with ACM

Every modern website should serve traffic over HTTPS, which means it needs a TLS certificate (a small file that proves your domain’s identity and encrypts the connection between the browser and your server). Buying and renewing those certificates used to be a yearly chore. AWS Certificate Manager (ACM) makes it free and hands-off: it issues public certificates at no cost and renews them automatically, as long as you attach them to an AWS service. This page shows how ACM works, how to validate a certificate, and how to attach it to a load balancer or CDN.

What ACM does and when to use it

ACM is a service that creates, stores, and renews TLS certificates for you. TLS (Transport Layer Security) is the protocol behind the padlock icon in the browser; it’s the successor to the older SSL (Secure Sockets Layer), and the two terms are often used interchangeably.

There are two kinds of ACM certificate:

• Public certificates are free and trusted by every browser. Use these for any website or API that the public reaches over the internet.
• Private certificates come from ACM Private CA (Certificate Authority), which has its own hourly and per-certificate cost. Use these only for internal services where you control all the clients.

When to use ACM: any time you terminate HTTPS on an AWS-managed service — an Application Load Balancer (ALB), a CloudFront distribution (Amazon’s content delivery network), or API Gateway. When NOT to use it: if you need the certificate’s private key file to install on your own EC2 web server (such as Nginx or Apache), ACM public certificates will not work, because AWS never lets you export the private key.

Gotcha: ACM public certificates are free, but they are locked inside AWS. You cannot download the private key and copy it onto an EC2 instance. If you run your own web server, use ALB or CloudFront in front of it, or get a certificate elsewhere (for example Let’s Encrypt).

Requesting a certificate

You give ACM one or more domain names and tell it how you’ll prove you own them. You can request a single name like app.example.com, or use a wildcard like *.example.com to cover every subdomain at once.

Console steps

1. Open the AWS Certificate Manager console. Pick the correct Region first (see the Region rules below).
2. Click Request a certificate, choose Request a public certificate, then Next.
3. Under Fully qualified domain name, enter example.com. Click Add another name and enter *.example.com to cover subdomains too.
4. Choose DNS validation - recommended.
5. Add tags if you like, then click Request.

CLI equivalent

aws acm request-certificate \
  --domain-name example.com \
  --subject-alternative-names "*.example.com" \
  --validation-method DNS \
  --region us-east-1

Output:

{
    "CertificateArn": "arn:aws:acm:us-east-1:111122223333:certificate/0a1b2c3d-4e5f-6789-abcd-0a1b2c3d4e5f"
}

The certificate now exists but is in PENDING_VALIDATION status. It is not usable until you prove you own the domain.

DNS validation vs email validation

ACM offers two ways to prove ownership. The choice matters a lot for renewals.

Method	How it works	Renewal	Best for
DNS validation	You add a CNAME record to your domain’s DNS	Renews automatically forever (if the record stays)	Almost everyone — pick this
Email validation	AWS emails the domain’s registered contacts; you click a link	Must be re-confirmed every 13 months by a human	Domains where you can’t edit DNS

DNS validation is strongly preferred. You add one CNAME record (an alias-style DNS record) once, and ACM keeps renewing the certificate as long as that record is present.

Critical gotcha: ACM auto-renews a DNS-validated certificate by re-checking the validation CNAME record. If you ever delete that CNAME, renewal silently fails and the certificate eventually expires, taking your site offline. Leave the validation record in place forever.

Completing DNS validation

If your domain uses Amazon Route 53 (AWS’s DNS service), ACM can create the record for you with one click in the console, or with this CLI helper:

aws acm describe-certificate \
  --certificate-arn arn:aws:acm:us-east-1:111122223333:certificate/0a1b2c3d-4e5f-6789-abcd-0a1b2c3d4e5f \
  --region us-east-1 \
  --query "Certificate.DomainValidationOptions[0].ResourceRecord"

Output:

{
    "Name": "_3a1b2c3d4e5f.example.com.",
    "Type": "CNAME",
    "Value": "_9z8y7x6w5v.acm-validations.aws."
}

Add that exact CNAME to your DNS provider. Within a few minutes ACM detects it and the status flips to ISSUED. You can watch it:

aws acm wait certificate-validated \
  --certificate-arn arn:aws:acm:us-east-1:111122223333:certificate/0a1b2c3d-4e5f-6789-abcd-0a1b2c3d4e5f \
  --region us-east-1

The Region rules (the part everyone gets wrong)

ACM certificates are regional resources, and where the certificate lives must match where it’s used.

Where you attach it	Region the certificate must be in
Application Load Balancer (ALB)	The same Region as the ALB (e.g. eu-west-1)
API Gateway (regional endpoint)	The same Region as the API
CloudFront distribution	Always us-east-1 (N. Virginia), no matter where your users are

Tip: CloudFront is a global service, so it only reads certificates from us-east-1. If your certificate doesn’t appear in the CloudFront dropdown, you almost certainly created it in the wrong Region. Request a fresh one in us-east-1 — there is no charge.

Attaching the certificate

To an Application Load Balancer

An ALB needs an HTTPS listener on port 443 that references the certificate.

aws elbv2 create-listener \
  --load-balancer-arn arn:aws:elasticloadbalancing:eu-west-1:111122223333:loadbalancer/app/my-alb/0a1b2c3d4e5f \
  --protocol HTTPS \
  --port 443 \
  --certificates CertificateArn=arn:aws:acm:eu-west-1:111122223333:certificate/0a1b2c3d-4e5f-6789-abcd-0a1b2c3d4e5f \
  --default-actions Type=forward,TargetGroupArn=arn:aws:elasticloadbalancing:eu-west-1:111122223333:targetgroup/my-targets/0a1b2c3d4e5f

Console: In the EC2 console, open your load balancer, go to Listeners and rules, click Add listener, choose HTTPS : 443, and under Default SSL/TLS certificate select From ACM and pick your certificate.

To a CloudFront distribution (CloudFormation)

Resources:
  CDN:
    Type: AWS::CloudFront::Distribution
    Properties:
      DistributionConfig:
        Aliases:
          - app.example.com
        ViewerCertificate:
          AcmCertificateArn: arn:aws:acm:us-east-1:111122223333:certificate/0a1b2c3d-4e5f-6789-abcd-0a1b2c3d4e5f
          SslSupportMethod: sni-only
          MinimumProtocolVersion: TLSv1.2_2021

Cost

Public ACM certificates are completely free, including renewals — you pay nothing for the certificate itself, only for the ALB, CloudFront, or API Gateway that uses it. ACM Private CA is the exception: it costs roughly $400 per month per CA plus a small per-certificate fee, so only use it for genuine internal PKI needs.

Best Practices

• Always choose DNS validation over email so renewals stay fully automatic.
• Never delete the validation CNAME record — treat it as permanent infrastructure.
• Request CloudFront certificates in us-east-1 and ALB/API Gateway certificates in the same Region as the resource.
• Use a wildcard (*.example.com) when you have many subdomains, but remember it does not cover the bare apex example.com — add that name explicitly.
• Set a CloudWatch alarm on the ACM DaysToExpiry metric so you’re warned long before any certificate lapses.
• Don’t try to export ACM public certs for EC2 — put an ALB or CloudFront in front instead.

Related Topics

• What is Amazon Route 53?
• DNS record types
• What is CloudFront?
• Create a CloudFront distribution
• Host a static site on CloudFront + S3