AWS Certificate Manager
User Guide (Version 1.0)

Managed Renewal

By default, ACM automatically renews ACM Certificates that are being used by other AWS services, such as Elastic Load Balancing and CloudFront. Managed renewal makes configuring and maintaining SSL/TLS for a secure website or application easier and less error prone than manual renewal processes. Managed renewal can help you avoid downtime due to misconfigured, revoked, or expired certificates. Further, managed renewal doesn't require you to install or maintain a software client or agent on your website. Instead, because ACM is integrated with other AWS services, you can centrally manage and deploy ACM Certificates on the AWS platform from the console, AWS CLI, or API of the integrated service. For a list of supported services, see Services Integrated with AWS Certificate Manager.

ACM attempts to perform automatic renewals on all ACM Certificates before they expire. If ACM is unable to do so, it falls back on alternate renewal methods such as sending validation email to domain registrants. Certificates that can be renewed automatically include those that are being used by AWS resources on a publicly accessible site. This includes certificates for bare domains such as

The following conditions must be met before an ACM Certificate can be renewed:

  • DNS must be configured to resolve all of the fully qualified domain names (FQDNs) included in the certificate to the AWS resource with which the certificate is associated. ACM checks that each FQDN in the certificate maps to an Amazon-controlled public IP address. ACM does not check DNS resolution for wildcard domain names such as *

  • The AWS resource must be configured so that AWS can make an SSL/TLS connection to it from the internet.

If an ACM Certificate cannot be automatically renewed, ACM sends email validation requests to the domain owner or to an authorized representative. The email contains instructions about how to renew the ACM Certificate.

ACM does not attempt to renew certificates that are not in use. To be considered in use, an ACM Certificate must be associated with an AWS service such as Elastic Load Balancing or CloudFront.

If an ACM Certificate is in use but cannot be publicly accessed by using the DNS name(s) in the certificate, ACM attempts to renew the certificate through email validation. If email validation fails, ACM notifies you by creating a support ticket that sends email to the address registered with your AWS account.

ACM begins the renewal process up to 60 days prior to the certificate’s expiration date. The validity period for certificates provided by ACM is currently 13 months.

ACM generates a new key pair when renewing the ACM Certificate. AWS will issue a new certificate with a new key pair without changing other certificate fields.