Check a certificate's renewal status - AWS Certificate Manager

Check a certificate's renewal status

You can use the AWS Certificate Manager console, the ACM API, the AWS CLI, or the AWS Personal Health Dashboard to check the renewal status of an ACM certificate. If you use the console, AWS CLI, or ACM API, certificate renewal can have one of the four possible status values listed below. Similar values are displayed if you use the AWS Personal Health Dashboard.

Pending automatic renewal

ACM is attempting to automatically validate the domain names in the certificate. For more information, see Renewal for domains validated by DNS. No further action is required.

Pending validation

ACM couldn't automatically validate one or more domain names in the certificate. You must take action to validate these domain names or the certificate won't be renewed. If you originally used email validation for the certificate, look for an email from ACM and then follow the link in that email to perform the validation. If you used DNS validation, check to make sure your DNS record exists and that your certificate remains in use.

Success

All domain names in the certificate are validated, and ACM renewed the certificate. No further action is required.

Failed

One or more domain names were not validated before the certificate expired, and ACM did not renew the certificate. You can request a new certificate.

A certificate is eligible for renewal if it is associated with another AWS service, such as Elastic Load Balancing or CloudFront, or if it has been exported since being issued or last renewed.

Note

It can take up to several hours for changes to the certificate status to become available.

Check the status (console)

The following procedure discusses how to use the ACM console to check the renewal status of an ACM certificate.

  1. Open the AWS Certificate Manager console at https://console.aws.amazon.com/acm/home.

  2. Expand a certificate to view its details.

  3. Find the Renewal Status in the Details section. If you don't see the status, ACM hasn't started the managed renewal process for this certificate.

Check the status (API)

For a Java example that shows how to use the DescribeCertificate action to check the status, see Describing a certificate.

Check the status (CLI)

The following example shows how to check the status of your ACM certificate renewal with the AWS Command Line Interface (AWS CLI).

$ aws acm describe-certificate --certificate-arn arn:aws:acm:region:123456789012:certificate/97b4deb6-8983-4e39-918e-ef1378924e1e

In the response, note the value in the RenewalStatus field. If you don't see the RenewalStatus field, ACM hasn't started the managed renewal process for your certificate.

Check the status using Personal Health Dashboard (PHD)

ACM attempts to automatically renew your ACM certificate 60 days prior to expiration. If ACM cannot automatically renew your certificate, it sends certificate renewal event notices to your AWS Personal Health Dashboard at 45 day, 30 day, 15 day, 7 day, 3 day, and 1 day intervals from expiration to inform you that you need to take action. The AWS Personal Health Dashboard is part of the AWS Health service. It requires no setup and can be viewed by any user that is authenticated in your account. For more information, see AWS Health User Guide.

Note

ACM writes successive renewal event notices to a single event in your PHD time line. Each notice overwrites the previous one until the renewal succeeds.

To use the AWS Personal Health Dashboard:

  1. Log in to the AWS Personal Health Dashboard at https://phd.aws.amazon.com/phd/home#/.

  2. Choose Event log.

  3. For Filter by tags or attributes, choose Service.

  4. Choose Certificate Manager.

  5. Choose Apply.

  6. For Event category choose Scheduled Change.

  7. Choose Apply.