Requesting a public certificate - AWS Certificate Manager

Requesting a public certificate

The following sections discuss how to use the ACM console or AWS CLI to request a public ACM certificate. After you request a public certificate, you must complete one of the procedures described in Validating domain ownership.

Public ACM certificates follow the X.509 standard and are subject to the following restrictions:

  • Names: You must use DNS-compliant subject names. For more information, see Domain Names.

  • Algorithm: For encryption, the certificate private key algorithm must be either 2048-bit RSA, 256-bit ECDSA, or 384-bit ECDSA.

  • Expiration: Each certificate is valid for 13 months (395 days).

  • Renewal: ACM attempts to renew a private certificate automatically after 11 months.

If you encounter problems when requesting a certificate, see Troubleshooting certificate requests.

To request a certificate for a private PKI using AWS Private CA, see Requesting a private PKI certificate.


Administrators can use ACM Conditional Key Policies to control how end users issue new certificates. These Conditional keys allow restrictions to be placed on domains, validation methods, and other attributes related to a certificate request.


Unless you choose to opt out, publicly trusted ACM certificates are automatically recorded in at least two certificate transparency databases. You cannot currently use the console to opt out. You must use the AWS CLI or the ACM API. For more information, see Opting out of certificate transparency logging. For general information about transparency logs, see Certificate Transparency Logging.

Request a public certificate using the console

To request an ACM public certificate (console)
  1. Sign in to the AWS Management Console and open the ACM console at

    Choose Request a certificate.

  2. In the Domain names section, type your domain name.

    You can use a fully qualified domain name (FQDN), such as, or a bare or apex domain name such as You can also use an asterisk (*) as a wild card in the leftmost position to protect several site names in the same domain. For example, * protects, and The wild-card name will appear in the Subject field and in the Subject Alternative Name extension of the ACM certificate.

    When you request a wild-card certificate, the asterisk (*) must be in the leftmost position of the domain name and can protect only one subdomain level. For example, * can protect, and, but it cannot protect Also note that * protects only the subdomains of, it does not protect the bare or apex domain ( To protect both, see the next step.


    In compliance with RFC 5280, the length of the domain name (technically, the Common Name) that you enter in this step cannot exceed 64 octets (characters), including periods. Each subsequent Subject Alternative Name (SAN) that you provide, as in the next step, can be up to 253 octets in length.

    To add another name, choose Add another name to this certificate and type the name in the text box. This is useful for protecting both a bare or apex domain (such as and its subdomains such as *

  3. In the Validation method section, choose either DNS validation – recommended or Email validation, depending on your needs.


    If you are able to edit your DNS configuration, we recommend that you use DNS domain validation rather than email validation. DNS validation has multiple benefits over email validation. See DNS validation.

    Before ACM issues a certificate, it validates that you own or control the domain names in your certificate request. You can use either email validation or DNS validation.

    If you choose email validation, ACM sends validation email to the domain that you specify in the domain name field. If you specify a validation domain, ACM sends the email to that validation domain instead. For more information about email validation, see Email validation.

    If you use DNS validation, you simply add a CNAME record provided by ACM to your DNS configuration. For more information about DNS validation, see DNS validation.

  4. In the Key algorithm section, chose one of the three available algorithms:

    • RSA 2048 (default)

    • ECDSA P 256

    • ECDSA P 384

    For information to help you choose an algorithm, see Key algorithms and the AWS blog post How to evaluate and use ECDSA certificates in AWS Certificate Manager.

  5. In the Tags page, you can optionally tag your certificate. Tags are key-value pairs that serve as metadata for identifying and organizing AWS resources. For a list of ACM tag parameters and for instructions on how to add tags to certificates after creation, see Tagging AWS Certificate Manager certificates.

    When you finish adding tags, choose Request.

  6. After the request is processed, the console returns you to your certificate list, where information about the new certificate is displayed.

    A certificate enters status Pending validation upon being requested, unless it fails for any of the reasons given in the troubleshooting topic Certificate request fails. ACM makes repeated attempts to validate a certificate for 72 hours and then times out. If a certificate shows status Failed or Validation timed out, delete the request, correct the issue with DNS validation or Email validation, and try again. If validation succeeds, the certificate enters status Issued.


    Depending on how you have ordered the list, a certificate you are looking for might not be immediately visible. You can click the black triangle at right to change the ordering. You can also navigate through multiple pages of certificates using the page numbers at upper-right.

Request a public certificate using the CLI

Use the request-certificate command to request a new public ACM certificate on the command line. Optional values for the validation method are DNS and EMAIL. Optional values for the key algorithm are RSA_2048 (the default if the parameter is not explicitly provided), EC_prime256v1, and EC_secp384r1.

aws acm request-certificate \ --domain-name \ --key-algorithm EC_Prime256v1 \ --validation-method DNS \ --idempotency-token 1234 \ --options CertificateTransparencyLoggingPreference=DISABLED

This command outputs the Amazon Resource Name (ARN) of your new public certificate.

{ "CertificateArn": "arn:aws:acm:Region:444455556666:certificate/certificate_ID" }