AWS Certificate Manager
User Guide (Version 1.0)

Manage ACM Certificates

After you have requested one or more certificates and AWS Certificate Manager has provided them, you can manage those certificates from the AWS Management Console or AWS CLI. You can also manage the certificates that you imported.

Manage ACM Certificates (Console)

You can use the ACM console to get information about or delete an ACM Certificate. For certificates provided by ACM, you can also have ACM resend the validation email.

Display ACM Certificate Information

Each of the ACM Certificates occupies a row in the console. By default, the following columns are displayed for each certificate:

  • Domain Name – The fully qualified domain name for the certificate.

  • Additional Names – Additional names that are supported by this certificate.

  • Status – Certificate status. This can be any of the following values:

    • Pending validation

    • Issued

    • Inactive

    • Expired

    • Revoked

    • Failed

    • Timed out

  • In Use? – Whether the ACM Certificate is actively associated with an AWS service such as Elastic Load Balancing or CloudFront. The value can be No or Yes.

Customize Console Display

You can select the columns that you want to display by choosing the gear icon ( ) in the upper right corner of the console. You can select from among the following columns.

          Certificate columns.

Display Certificate Metadata

To show ACM Certificate metadata, choose the arrow to the immediate left of the domain name. The console displays information similar to the following.

          Certificate columns.

Delete an ACM Certificate

In the list of certificates, select the check box for the ACM Certificate that you want to delete. For Actions, choose Delete.


You cannot delete an ACM Certificate that is being used by another AWS service. To delete a certificate that is in use, you must first remove the certificate association.

Resend Validation Email (ACM-provided Certificates)

You approve an ACM Certificate request by using a validation token that ACM sends to the authorized representative. However, because the validation email required for the approval process can be blocked by spam filters or lost in transit, the validation token automatically expires after 72 hours. If the registered representative does not receive the original email or the token has expired, you can request that the email be resent by selecting the check box for the ACM Certificate, choosing the Actions button, and then choosing Resend validation email. If the 72 hour period has passed and the certificate status has changed to Timed out, you cannot resend validation email.


The preceding information applies only to certificates provided by ACM. Validation email is not required for certificates that you imported into ACM.

Manage ACM Certificates (AWS CLI)

You can use the AWS CLI to get information about an issued certificate, delete a certificate, or resend validation email.

Retrieve ACM Certificate Fields

You can use the describe-certificate command to retrieve information about a certificate.

aws acm describe-certificate --certificate-arn arn:aws:acm:us-east-1:123456789012:certificate/12345678-1234-1234-1234-123456789012

Delete an ACM Certificate

You can use the delete-certificate command to delete a certificate.

aws acm delete-certificate --certificate-arn arn:aws:acm:us-east-1:123456789012:certificate/12345678-1234-1234-1234-123456789012

Resend Validation Email (ACM-provided Certificates)

You can use the resend-validation-email command to send validation email again.

aws acm resend-validation-email --certificate-arn arn:aws:acm:us-east-1:123456789012:certificate/12345678-1234-1234-1234-123456789012 --validation-domain


The resend-validation-email command applies only to certificates provided by ACM. Validation email is not required for certificates that you imported into ACM.