Back to Guides
CDN SSLAWS

AWS Certificate Manager (ACM)

Free SSL for AWS—if you know the rules. ACM is Amazon's managed service for provisioning, managing, and deploying SSL/TLS certificates. It's powerful, free for public certificates, and deeply integrated with AWS services—but it comes with rules that trip up even experienced engineers.

12-15 min readJanuary 2026Intermediate
AWS Certificate Manager (ACM) - Free SSL for AWS with integrated services and non-integrated services

CloudFront requires certificates in us-east-1

ACM certificates for CloudFront MUST be in us-east-1 (N. Virginia)

Certificates in any other region won't appear in the CloudFront dropdown. This applies regardless of where your origin is located.

Watch: AWS ACM Explained

Introduction

AWS Certificate Manager (ACM) is Amazon's managed service for provisioning, managing, and deploying SSL/TLS certificates. It's powerful, free for public certificates, and deeply integrated with AWS services—but it comes with rules that trip up even experienced engineers.

The 3-Point Summary

  • Free public certificates for integrated AWS services (CloudFront, ALB, API Gateway)
  • Automatic renewal (when DNS validation is configured correctly)
  • The us-east-1 CloudFront trap everyone hits at least once

What ACM is NOT: A way to get certificates for EC2, on-premises servers, or any non-AWS infrastructure. Those require ACM Private CA ($400/mo) or external certificates.

ACM vs. the Alternatives

FeatureACM PublicACM Private CALet's EncryptCommercial CA
CostFree$400/mo + per-certFree$10-$500/year
Certificate Validity13 monthsConfigurable90 days1-2 years
Auto-RenewalYes (DNS)YesYes (certbot)Manual
Export Private KeyNoYesYesYes
Use Outside AWSNoYesYesYes
Wildcard CertsYesYesYesYes
OV/EV ValidationNo (DV only)N/A (private)No (DV only)Yes

Decision Tree

Is it on AWS (CloudFront, ALB, API Gateway)?
├─ YES → ACM Public (free, auto-renew)
└─ NO
   ├─ EC2 instance? → ALB in front → ACM Public
   │                  OR → Let's Encrypt on EC2
   ├─ On-premises? → ACM Private CA ($$)
   │                 OR → Let's Encrypt
   │                 OR → Commercial CA
   └─ Need OV/EV? → Commercial CA only

The us-east-1 Rule

CloudFront is a global service that reads certificates from us-east-1 only.

  • • Certificates in other regions (eu-west-1, ap-southeast-1, etc.) are invisible to CloudFront
  • • You cannot move ACM certificates between regions
  • • You must request a new certificate in us-east-1

CloudFront (Global) vs Origin (Regional)

VisitorAnywhere
HTTPS
us-east-1 cert!
CloudFrontGlobal Edge
HTTPS
Any region
Origineu-west-1, etc.

Other us-east-1 requirements: Lambda@Edge functions, WAF WebACLs for CloudFront, and CloudFront Functions must also be created in us-east-1.

DNS vs Email Validation

AspectDNS Validation ✓Email Validation
Auto-RenewalYes (if CNAME remains)No (requires click)
SetupAdd CNAME record onceClick link in email
WildcardsSupportedNot supported
Route 53One-click setupN/A
RecommendationUse thisLegacy only

DNS Validation Process

ACM generates a unique CNAME record for each domain. Add this to your DNS:

dns
# Example CNAME record for DNS validation
Name:  _abc123def456ghi789.example.com
Type:  CNAME
Value: _xyz987wvu654.acm-validations.aws.

Route 53 Tip: If your domain is in Route 53, ACM shows a "Create record in Route 53" button. One click adds the CNAME automatically.

Why Your Certificate is Stuck on "Pending Validation"

72-Hour Timeout: ACM certificates expire from pending validation after 72 hours. If it times out, you'll need to request a new certificate.

Common Causes

  1. 1

    CNAME not propagated yet

    DNS changes can take 5-60 minutes. Check propagation:

    bash
    dig _abc123def456.example.com CNAME +short
  2. 2

    Wrong DNS zone

    If validating api.example.com, the CNAME must be in the example.com zone, not a subdomain zone.

  3. 3

    Typo in CNAME name or value

    Copy-paste from ACM console. Don't type it manually.

  4. 4

    CAA records blocking Amazon

    Check for restrictive CAA records:

    bash
    dig example.com CAA +short
# Should include: 0 issue "amazon.com"
# Or have no CAA records at all

Where ACM Certificates Work

Supported Services (Works)

ServiceRegion RequirementNotes
CloudFrontus-east-1 onlyGlobal CDN
Application Load Balancer (ALB)Same as ALBUp to 25 certs per ALB
Network Load Balancer (NLB)Same as NLBTLS listeners only
API GatewaySame as APICustom domain names
Elastic BeanstalkSame as EBVia ALB
AWS App RunnerSame as App RunnerCustom domains

Not Supported (Doesn't Work)

ServiceWhy NotWorkaround
EC2 InstancesCan't export private keyALB in front, or Let's Encrypt
ECS/EKS (direct)Containers need key accessALB/NLB in front
On-premises serversNot AWS infrastructureACM Private CA or external
Other clouds (GCP, Azure)Can't exportLet's Encrypt or commercial

The EC2 Workaround

Internet
→ HTTPS →
ALB(ACM cert here)
→ HTTP →
EC2(HTTP in VPC)

ALB terminates SSL. EC2 receives unencrypted traffic on port 80 within the VPC.

Auto-Renewal: When "Automatic" Isn't

ACM auto-renewal works differently for DNS vs Email validation:

DNS Validation ✓

Fully automatic if CNAME record still exists. ACM re-validates domain ownership and renews 60 days before expiration.

Email Validation ⚠

Requires human action. You must click a link in the renewal email. Miss it, and the certificate expires.

When Renewal Silently Fails

  • CNAME record was deleted (someone "cleaned up" DNS)
  • Domain transferred to different registrar/DNS
  • CAA records added that block Amazon
  • Domain expired or WHOIS info changed
  • Certificate not associated with any AWS resource

Set Up CloudWatch Alarms

bash
# Alert when certificate expires in less than 30 days
aws cloudwatch put-metric-alarm \
  --alarm-name "ACM-CertExpiring-example-com" \
  --metric-name DaysToExpiry \
  --namespace AWS/CertificateManager \
  --statistic Minimum \
  --period 86400 \
  --threshold 30 \
  --comparison-operator LessThanThreshold \
  --dimensions Name=CertificateArn,Value=arn:aws:acm:... \
  --evaluation-periods 1 \
  --alarm-actions arn:aws:sns:...

ACM Private CA

ACM Private CA lets you run your own Certificate Authority for internal use. It's powerful but expensive.

Cost Reality

$400/month per CA, plus per-certificate fees. Consider this for: large enterprises, IoT device certificates, internal mTLS, regulated industries.

Alternatives to ACM Private CA

OptionCostBest For
Self-signed certsFreeDev/test environments
Let's EncryptFreePublic-facing services
HashiCorp VaultOSS free / Enterprise $$Dynamic secrets, short-lived certs
step-ca (Smallstep)OSS freeInternal PKI, ACME support
ACM Private CA$400/mo+AWS-native, compliance, scale

Common CLI Tasks

Request a New Certificate

bash
# Request certificate with DNS validation
aws acm request-certificate \
  --domain-name example.com \
  --subject-alternative-names "*.example.com" \
  --validation-method DNS \
  --region us-east-1  # For CloudFront!

List All Certificates

bash
# List certificates in a region
aws acm list-certificates --region us-east-1

# With details (status, domains)
aws acm list-certificates \
  --region us-east-1 \
  --includes keyTypes=RSA_2048,EC_prime256v1

Check Certificate Status

bash
# Get certificate details
aws acm describe-certificate \
  --certificate-arn arn:aws:acm:us-east-1:123456789:certificate/abc-123 \
  --region us-east-1

# Check validation status specifically
aws acm describe-certificate \
  --certificate-arn arn:aws:acm:... \
  --query 'Certificate.DomainValidationOptions[*].ValidationStatus'

Delete a Certificate

bash
# Delete (must not be in use)
aws acm delete-certificate \
  --certificate-arn arn:aws:acm:us-east-1:123456789:certificate/abc-123 \
  --region us-east-1

Troubleshooting Quick Reference

ProblemLikely CauseFix
Cert not in CloudFront dropdownWrong regionRequest in us-east-1
Stuck on "Pending validation"CNAME missing/wrongVerify with dig, check DNS zone
Can't delete certificateStill in useDisassociate from all resources first
Renewal failedCNAME deletedRe-add CNAME or request new cert
CAA check failedCAA blocks AmazonAdd: 0 issue "amazon.com"
Wildcard validation failingUsing email validationWildcards require DNS validation
SSL error on EC2Can't use ACM on EC2Put ALB in front, or use Let's Encrypt

Frequently Asked Questions

Summary

ACM is the right choice when:

  • ✓ You're deploying to CloudFront, ALB, API Gateway
  • ✓ You want free, auto-renewing DV certificates
  • ✓ You're comfortable with DNS validation
  • ✓ You don't need to export the private key
  • ✓ All your infrastructure is on AWS

ACM is the wrong choice when:

  • ✗ You need certificates on EC2 directly
  • ✗ You need OV or EV validation
  • ✗ You need to use certs outside AWS
  • ✗ You need exportable private keys
  • ✗ You're running multi-cloud infrastructure

Remember: CloudFront needs us-east-1, DNS validation beats email, and leave your CNAME records alone.

Related Resources

AWS ACM Troubleshooting

Fix validation failures, stuck certificates, and renewal issues fast.

CloudFront SSL Certificate Errors

Troubleshoot ACM and origin certificate issues with CloudFront distributions.

Azure Key Vault Certificates

Managing certificates in Azure? Import, generate, and deploy certs with Key Vault.

Cloudflare Error 526

Fix Invalid SSL Certificate errors when using Cloudflare Full (Strict) mode.

Chain Builder & Troubleshooting

Build complete certificate chains and diagnose chain validation failures.

How TLS Works

Understand the TLS handshake and certificate validation process.

Certificate Anatomy

Learn what's inside an X.509 certificate and how each field affects validation.

Back to All GuidesLast updated: January 2026