AWS Certificate Manager
User Guide (Version 1.0)

Best Practices

Best practices are recommendations that can help you use AWS Certificate Manager (AWS Certificate Manager) more effectively. The following best practices are based on real-world experience from current ACM customers.

AWS CloudFormation

With AWS CloudFormation you can create a template that describes the AWS resources that you want to use. AWS CloudFormation then provisions and configures those resources for you. AWS CloudFormation can provision resources that are supported by ACM such as Elastic Load Balancing, Amazon CloudFront, and Amazon API Gateway. For more information, see Services Integrated with AWS Certificate Manager.

If you use AWS CloudFormation to quickly create and delete multiple test environments, we recommend that you do not create a separate ACM Certificate for each environment. Doing so will quickly exhaust your certificate limit. For more information, see Limits. Instead, create a wildcard certificate that covers all of the domain names that you are using for testing. For example, if you repeatedly create ACM Certificates for domain names that vary by only a version number, such as <version>, create instead a single wildcard certificate for <*> Include the wildcard certificate in the template that AWS CloudFormation uses to create your test environment.

If you create ACM Certificates for domain names such as app.<branch>. <version>, we suggest that you change the domain structure. Place the variable names at the start of the certificate (<branch>.<version> and create a wildcard certificate for the revised name structure (<*>

Certificate Pinning

Certificate pinning, sometimes known as SSL pinning, is a process that you can use in your application to validate a remote host by associating that host directly with its X.509 certificate or public key instead of with a certificate hierarchy. The application therefore uses pinning to bypass SSL/TLS certificate chain validation. The typical SSL validation process checks signatures throughout the certificate chain from the root certificate authority (CA) certificate through the subordinate CA certificates, if any, and to the certificate for the remote host at the bottom of the hierarchy. Your application can instead pin to the certificate for the remote host to say that only that certificate and not the root certificate or any other in the chain is trusted. You can add the remote host's certificate or public key to your application during development, or the application can add the certificate or key when it first connects to the host.


We recommend that your application not pin an ACM Certificate. ACM performs Managed Renewal for ACM's Amazon-Issued Certificates to automatically renew your Amazon-issued SSL/TLS certificates before they expire. To renew a certificate, ACM generates a new public-private key pair. If your application pins the ACM Certificate and the certificate is successfully renewed with a new public key, the application might be unable to connect to your domain.

If you decide to pin a certificate, the following options will not hinder your application from connecting to your domain: