Menu
AWS Certificate Manager
User Guide (Version 1.0)

Managed Renewal for ACM's Amazon-Issued Certificates

ACM provides managed renewal for your Amazon-issued SSL/TLS certificates, which means that ACM tries to renew the certificates before they expire. If possible, ACM renews your certificates automatically with no action required from you. To increase the likelihood that ACM can renew your certificate automatically, see Configure Your Domain for Automatic Validation.

This feature is not available for imported certificates.

General Information about Managed Renewal

The following information applies to ACM's managed renewal for Amazon-issued SSL/TLS certificates.

Domain validation

Before renewing a certificate, ACM tries to automatically validate the domain names in the certificate. But in some cases, ACM needs you to take action to manually validate a domain. ACM renews a certificate only after all domain names in the certificate are validated, whether automatically or manually. For more information, see How Domain Validation Works.

Asynchronous process

ACM's managed renewal is an asynchronous process, which means that the steps don't occur in immediate succession. After all domain names in a certificate are validated, there might be a delay before ACM obtains the new certificate. An additional delay can occur between the time when ACM obtains the renewed certificate and the time when that certificate is deployed to the AWS resources that use it.

Certificate ARN

When ACM renews a certificate, the certificate's Amazon Resource Name (ARN) remains the same.

Certificates in multiple regions

ACM Certificates are regional resources. If you have certificates for the same domain name in multiple AWS Regions, ACM renews each of these certificates independently.

Certificate pinning

To renew a certificate, ACM generates a new public–private key pair for the certificate. If your application uses certificate pinning, also known as public key pinning, with ACM's Amazon-issued certificates, the application might refuse to connect to your domain after ACM renews the certificate. For this reason, we recommend that you don't use certificate pinning with ACM's Amazon-issued certificates. To use certificate pinning with ACM Certificates, you can do the following:

How Domain Validation Works

Before renewing a certificate, ACM tries to automatically validate each domain name in the certificate. For more information, see How Automatic Domain Validation Works.

If ACM can't automatically validate a domain name, ACM notifies you that you need to take action to manually validate it. For more information, see How Manual Domain Validation Works.

After all domain names in a certificate are validated, ACM renews the certificate.

How Automatic Domain Validation Works

To validate a domain, ACM sends automated, periodic HTTPS requests to the domain. For domains that start with www., ACM also sends HTTPS requests to the parent domain. For domains that don't start with www., ACM also sends HTTPS requests to www.domain. ACM treats wildcard domain names (for example, *.example.com) the same as the parent domain. For examples, see the following table.

Example domain names that ACM uses for automatic validation

Domain name in the certificate

Domain names that ACM use for automatic validation

example.com

example.com

www.example.com

www.example.com

www.example.com

example.com

*.example.com

example.com

www.example.com

subdomain.example.com

subdomain.example.com

www.subdomain.example.com

www.subdomain.example.com

www.subdomain.example.com

subdomain.example.com

*.subdomain.example.com

subdomain.example.com

www.subdomain.example.com

If ACM successfully establishes an HTTPS connection, ACM examines the certificate that is returned to ensure it matches the one that ACM is renewing. If the certificate matches, ACM considers the domain name validated.

How Manual Domain Validation Works

If ACM is unable to automatically validate one or more domain names in a certificate, ACM notifies you that you need to take action to manually validate the domain. A domain can require manual validation for the following reasons:

  • ACM can't establish an HTTPS connection with the domain.

  • The certificate that is returned in the response to ACM's HTTPS requests doesn't match the one that ACM is renewing.

When your certificate is 45 days from expiration and one or more domain names in the certificate requires manual validation, ACM notifies you in the following ways:

By email

ACM sends you a domain validation email for each domain name that requires manual validation. To ensure that you receive this email, configure email for your domain. The email contains information about the ACM certificate and the domain name that you need to validate. The email includes a link that you can follow to validate the domain name. This link expires after 72 hours. If necessary, you can use the AWS Certificate Manager console or the ACM API to request that ACM resend the domain validation email. For more information, see Request a Domain Validation Email for Certificate Renewal.

By notification in your AWS Personal Health Dashboard

ACM sends notifications to your AWS Personal Health Dashboard to let you know that a pending certificate renewal requires action from you. ACM sends these notifications when your certificate is 45 days, 30 days, 15 days, 7 days, 3 days, and 1 day from expiration and one or more domain names in the certificate requires manual validation. These notifications are only informational; to manually validate a domain name, you must follow the link in the domain validation email.