ACM certificate characteristics - AWS Certificate Manager

ACM certificate characteristics

Public certificates provided by ACM have the characteristics described on this page.


These characteristics apply only to certificates provided by ACM. They might not apply to certificates that you import into ACM.

Domain Validation (DV)

ACM certificates are domain validated. That is, the subject field of an ACM certificate identifies a domain name and nothing more. When you request an ACM certificate, you must validate that you own or control all of the domains that you specify in your request. You can validate ownership by using email or DNS. For more information, see Email validation and DNS validation.

Validity Period

The validity period for ACM certificates is 13 months (395 days).

Managed Renewal and Deployment

ACM manages the process of renewing ACM certificates and provisioning the certificates after they are renewed. Automatic renewal can help you avoid downtime due to incorrectly configured, revoked, or expired certificates. For more information, see Managed renewal for ACM certificates.

Browser and Application Trust

ACM certificates are trusted by all major browsers including Google Chrome, Microsoft Internet Explorer and Microsoft Edge, Mozilla Firefox, and Apple Safari. Browsers that trust ACM certificates display a lock icon in their status bar or address bar when connected by SSL/TLS to sites that use ACM certificates. ACM certificates are also trusted by Java.

Multiple Domain Names

Each ACM certificate must include at least one fully qualified domain name (FQDN), and you can add additional names if you want. For example, when you are creating an ACM certificate for, you can also add the name if customers can reach your site by using either name. This is also true of bare domains (also known as the zone apex or naked domains). That is, you can request an ACM certificate for and add the name For more information, see Requesting a public certificate.

Wildcard Names

ACM allows you to use an asterisk (*) in the domain name to create an ACM certificate containing a wildcard name that can protect several sites in the same domain. For example, * protects and


When you request a wildcard certificate, the asterisk (*) must be in the leftmost position of the domain name and can protect only one subdomain level. For example, * can protect and, but it cannot protect Also note that * protects only the subdomains of, it does not protect the bare or apex domain ( However, you can request a certificate that protects a bare or apex domain and its subdomains by specifying multiple domain names in your request. For example, you can request a certificate that protects and *


A certificate must specify an algorithm and key size. Currently, the following public key algorithms are supported by ACM (API name in parentheses):

  • 1024-bit RSA (RSA_1024)

  • 2048-bit RSA (RSA_2048)

  • 3072-bit RSA (RSA_3072)

  • 4096-bit RSA (RSA_4096)

  • Elliptic Prime Curve 256 bit (EC_prime256v1)

  • Elliptic Prime Curve 384 bit (EC_secp384r1)

  • Elliptic Prime Curve 521 bit (EC_secp521r1)


Note that integrated services allow only algorithms and key sizes they support to be associated with their resources. Further, their support differs depending on whether the certificate is imported into IAM or into ACM. For more information, see the documentation for each service.


The following Punycode requirements relating to Internationalized Domain Names must be fulfilled:

  1. Domain names beginning with the pattern "<character><character>--" must match "xn--".

  2. Domain names beginning with "xn--" must also be valid Internationalized Domain Names.

Punycode examples

Domain Name

Fulfills #1

Fulfills #2





Does not start with "<character><character>--"



Does not start with "<character><character>--"



Does not start with "<character><character>--"



Valid Internationalized Domain Name (resolves to 简.com)



Not a valid Internationalized Domain Name



Must start with "xn--"


Note the following:

  • ACM does not provide extended validation (EV) certificates or organization validation (OV) certificates.

  • ACM does not provide certificates for anything other than the SSL/TLS protocols.

  • You cannot use ACM certificates for email encryption.

  • ACM does not currently permit you to opt out of managed certificate renewal for ACM certificates. Also, managed renewal is not available for certificates that you import into ACM.

  • You cannot request certificates for Amazon-owned domain names such as those ending in,, or

  • You cannot download the private key for an ACM certificate.

  • You cannot directly install ACM certificates on your Amazon Elastic Compute Cloud (Amazon EC2) website or application. You can, however, use your certificate with any integrated service. For more information, see Services integrated with AWS Certificate Manager.