ACME endpoints
An ACME endpoint is a customer-specific, managed ACME server with a unique URL. Each endpoint is configured to issue certificates from a specific Certificate Authority. When you create an endpoint, ACM provisions an RFC 8555-compliant ACME server that your ACME clients can connect to.
Endpoint directory URL
When you create an ACME endpoint, ACM assigns it a unique ACME
directory URL. You provide this URL to your ACME clients so they can connect to
the endpoint. Retrieve the directory URL from the endpoint details in the console, or
from the EndpointUrl field returned by
DescribeAcmeEndpoint. The directory URL has the following form:
https://acm-acme-enroll.region.api.aws/00000000-0000-0000-0000-000000000000/directory
Endpoint configuration
When you create an ACME endpoint, you configure the following settings. For ACME quotas, see Quotas.
AuthorizationBehavior-
PRE_APPROVED: Domain validation is handled by pre-configured domain validation resources rather than live ACME challenges. Contact-
REQUIREDorNOT_REQUIRED: Specifies whether ACME clients must provide contact information when they register an account with the endpoint. In the console, this setting is Account email registration.By default, an ACME account contains no identifying information. The contact field is an email address that a client can supply during account registration to associate the account with an identity. Setting
ContacttoREQUIREDlets a PKI administrator enforce that the endpoint only accepts account registrations that include contact information, and rejects registrations that omit it. Registered contact information is purely informational and is used by the PKI administrator to manage ACME accounts. CertificateAuthority-
PublicCertificateAuthority: Opts the endpoint in to issuing publicly trusted (web PKI) certificates from Amazon Trust Services. You do not specify a particular CA; this field declares that the endpoint is associated with public certificate issuance. AllowedKeyAlgorithms-
RSA_2048,EC_prime256v1,EC_secp384r1: Adds an enforcement layer to the endpoint. If a certificate request contains an embedded public key whose algorithm does not match one of the allowed algorithms, the endpoint rejects the request. When you don't setAllowedKeyAlgorithms, the endpoint applies no key algorithm enforcement.In the console, these algorithms appear as Certificate key types:
EC_prime256v1is ECDSA P-256,RSA_2048is RSA 2048, andEC_secp384r1is ECDSA P-384. CertificateTags-
Tags that ACM automatically attaches to every certificate issued through this endpoint. Use certificate tags to organize certificates, track costs, or control access to certificates issued through ACME. In the console, these appear as Certificate tags, separate from the Tags applied to the endpoint resource itself.
Endpoint status lifecycle
An ACME endpoint transitions through the following statuses:
ACTIVE-
The endpoint is operational and can accept ACME requests.
DELETING-
The endpoint is being deleted.
FAILED-
Endpoint creation failed. Check the
FailureReasonfield for details.
Creating an ACME endpoint
You can create an ACME endpoint by using the ACM console or the AWS CLI.
To create an endpoint (console)
-
Sign in to the AWS Management Console and open the ACM console.
-
In the left navigation pane, under ACME, choose Endpoints.
-
Choose Create ACME endpoint.
-
For Endpoint name, enter a name for the endpoint. The name is stored as a tag on the endpoint, and you can change it later.
-
Note that Endpoint type is Public. ACME clients connect to the endpoint over the internet by using HTTPS.
-
(Optional) Under Account email registration, select Enable contact information during ACME account registration to require ACME clients to provide a contact email address when they register an account.
-
Note that Certificate type is Public. The endpoint issues publicly trusted certificates from Amazon Trust Services.
-
For Certificate key types, select at least one key algorithm: ECDSA P-256 (default), RSA 2048, or ECDSA P-384.
-
(Optional) Under Domains, add one or more domains to validate for this endpoint. You can also add domains later from the endpoint details page. For more information, see ACME domain validation.
-
(Optional) Under Tags, add tags to the endpoint.
-
(Optional) Under Certificate tags, add tags that ACM automatically attaches to every certificate issued through this endpoint.
-
Choose Create ACME endpoint.
After the endpoint status changes to ACTIVE, retrieve the endpoint's
directory URL and provide it to your ACME clients.
To create an endpoint (AWS CLI)
Run the following command to create an ACME endpoint:
aws acm create-acme-endpoint \ --authorization-behavior PRE_APPROVED \ --contact REQUIRED \ --certificate-authority '{ "PublicCertificateAuthority": { "AllowedKeyAlgorithms": ["RSA_2048", "EC_prime256v1", "EC_secp384r1"] } }'
The response includes the AcmeEndpointArn:
{ "AcmeEndpointArn": "arn:aws:acm:region:111122223333:acme-endpoint/00000000-0000-0000-0000-000000000000" }
To retrieve the endpoint URL and configuration, run the following command:
aws acm describe-acme-endpoint \ --acme-endpoint-arn arn:aws:acm:region:111122223333:acme-endpoint/00000000-0000-0000-0000-000000000000
The following shows an example response. The EndpointUrl is the
ACME directory URL that you provide to your ACME clients.
{ "AcmeEndpoint": { "AcmeEndpointArn": "arn:aws:acm:region:111122223333:acme-endpoint/00000000-0000-0000-0000-000000000000", "EndpointUrl": "https://acm-acme-enroll.region.api.aws/00000000-0000-0000-0000-000000000000/directory", "Status": "ACTIVE", "AuthorizationBehavior": "PRE_APPROVED", "Contact": "REQUIRED", "CertificateAuthority": { "PublicCertificateAuthority": { "AllowedKeyAlgorithms": [ "RSA_2048", "EC_prime256v1", "EC_secp384r1" ] } }, "CreatedAt": "2026-06-18T20:35:06.331000-04:00", "UpdatedAt": "2026-06-18T20:35:06.331000-04:00" } }
Managing ACME endpoints
You can perform the following management operations on ACME endpoints:
- Describe
-
View endpoint details including status and configuration.
- List
-
View all ACME endpoints in your account.
- Update
-
Modify authorization behavior, contact requirements, or certificate authority settings.
- Delete
-
Remove an endpoint. Deleting an endpoint also deletes its external account binding and domain validation resources, along with any ACME accounts registered with the endpoint.
Monitoring ACME endpoints
You can monitor ACME endpoint activity and certificate issuance through the ACM console and Amazon CloudWatch.
Console monitoring tab
In the ACM console, select an ACME endpoint and choose the
Monitoring tab to view issuance metrics for that endpoint. The
monitoring tab displays graphs for CertificateIssuanceSuccess and
CertificateIssuanceFailed metrics over time.
Certificates dashboard
The ACM console Certificates dashboard provides an overview of all certificates in your account, including ACME-issued certificates. Use the dashboard to track certificate counts, expiration timelines, and renewal status across your inventory.
CloudWatch metrics
ACM publishes the following metrics to the
AWS/CertificateManager namespace for each ACME endpoint:
-
CertificateIssuanceSuccess– Count of certificates successfully issued through the endpoint. -
CertificateIssuanceFailed– Count of failed issuance attempts for the endpoint.
Both metrics use the AcmeEndpointArn dimension. You can create CloudWatch
alarms on these metrics to be notified of issuance failures. For more information, see
Supported CloudWatch metrics.