ACM Certificate Characteristics
AWS Certificate Manager manages ACM Certificates. These certificates have the following characteristics:
Domain Validation (DV)
ACM Certificates are domain validated. That is, the subject field of an ACM Certificate identifies a domain name and nothing more. Email is sent to the registered owner for each domain name in the request. The domain owner or an authorized representative can approve the certificate request by following the instructions in the email. For more information, see Validate Domain Ownership.
The validity period for ACM Certificates is currently 13 months.
Managed Renewal and Deployment
ACM managed renewal and deployment manages the process of renewing ACM Certificates and provisioning the certificates after they are renewed. Automatic renewal can help you avoid downtime due to misconfigured, revoked, or expired certificates. For more information, see Managed Renewal.
Browser and Application Trust
ACM Certificates are trusted by all major browsers including Google Chrome, Microsoft Internet Explorer, Mozilla Firefox, and Apple Safari. Browsers that trust ACM Certificates display a lock icon in their status bar or address bar when connected by SSL/TLS to sites that use ACM Certificates. ACM Certificates are also trusted by Java.
Multiple Domain Names
Each ACM Certificate must include at least one fully qualified domain name (FQDN), and
you can add additional names if you want. For example, when you are creating an ACM
www.example.com, you can also add the name
www.example.net if customers can reach your site by using either name. This is
also true of bare domains (also known as the zone apex or naked domains). That is, you can
request an ACM Certificate for www.example.com and add the name example.com. For more
information, see Request a Certificate.
ACM allows you to use an asterisk (*) in the domain name to create an ACM Certificate
containing a wildcard name that can protect several sites in the same domain. For example,
When you request a wildcard certificate, the asterisk (
*) must be
in the leftmost position of the domain name and can protect only one subdomain level. For
*.example.com can protect
it cannot protect
test.login.example.com. Also note that
*.example.com protects only the subdomains of
example.com, it does not protect the bare or apex domain
example.com). However, you can request a certificate that protects
a bare or apex domain and its subdomains by specifying multiple domain names in your
request. For example, you can request a certificate that protects
Currently, ACM supports the RSA-2048 encryption and SHA-256 hashing algorithms.
Note the following:
ACM does not provide extended validation (EV) certificates or organization validation (OV) certificates.
ACM does not provide certificates for anything other than the SSL/TLS protocols.
You cannot use ACM Certificates for code signing or email encryption.
ACM allows only UTF-8 encoded ASCII for domain names, including labels that contain "xn--" (Punycode). ACM does not accept Unicode input (u-labels) for domain names.
ACM does not enable the use of third-party certificates with AWS services. You can, however, import third-party certificates by using AWS Identity and Access Management (IAM). For more information, see Managing Your Server Certificates.
ACM does not currently permit you to opt out of managed certificate renewal.
You cannot request certificates for Amazon-owned domain names such as those ending in amazonaws.com, cloudfront.net, or elasticbeanstalk.com.
You cannot download the private key for an ACM Certificate.
You cannot associate ACM Certificates with Amazon Elastic Compute Cloud (Amazon EC2) instances.