Managed certificate renewal in AWS Certificate Manager (original) (raw)
ACM provides managed renewal for your Amazon-issued SSL/TLS certificates. This means that ACM will either renew your certificates automatically (if you are using DNS validation), or it will send you email notices when expiration is approaching. These services are provided for both public and private ACM certificates.
A certificate is eligible for automatic renewal subject to the following considerations:
- ELIGIBLE if associated with another AWS service, such as Elastic Load Balancing or CloudFront.
- ELIGIBLE if exported since being issued or last renewed.
- ELIGIBLE if it is a private certificate issued by calling the ACM RequestCertificate API and then exported or associated with another AWS service.
- ELIGIBLE if it is a private certificate issued through the management console and then exported or associated with another AWS service.
- NOT ELIGIBLE if it is a private certificate issued by calling the AWS Private CAIssueCertificate API.
- NOT ELIGIBLE if imported.
- NOT ELIGIBLE if already expired.
Additionally, the following Punycode requirements relating to Internationalized Domain Names must be fulfilled:
- Domain names beginning with the pattern "--" must match "xn--".
- Domain names beginning with "xn--" must also be valid Internationalized Domain Names.
Punycode examples
| Domain Name | Fulfills #1 | Fulfills #2 | Allowed | Note |
|---|---|---|---|---|
| example.com | n/a | n/a | ✓ | Does not start with "--" |
| a--example.com | n/a | n/a | ✓ | Does not start with "--" |
| abc--example.com | n/a | n/a | ✓ | Does not start with "--" |
| xn--xyz.com | Yes | Yes | ✓ | Valid Internationalized Domain Name (resolves to 简.com) |
| xn--example.com | Yes | No | ✗ | Not a valid Internationalized Domain Name |
| ab--example.com | No | No | ✗ | Must start with "xn--" |
When ACM renews a certificate, the certificate's Amazon Resource Name (ARN) remains the same. Also, ACM certificates are regional resources. If you have certificates for the same domain name in multiple AWS Regions, each of these certificates must be renewed independently.
Topics
- Renew ACM public certificates
- Private certificate renewal in AWS Certificate Manager
- Check a certificate's renewal status
Delete certificates
Public certificates
Did this page help you? - Yes
Thanks for letting us know we're doing a good job!
If you've got a moment, please tell us what we did right so we can do more of it.
Did this page help you? - No
Thanks for letting us know this page needs work. We're sorry we let you down.
If you've got a moment, please tell us how we can make the documentation better.