Managed certificate renewal in AWS Certificate Manager
ACM provides managed renewal for your Amazon-issued SSL/TLS certificates. This means that ACM will either renew your certificates automatically (if you are using DNS validation), or it will send you email notices when expiration is approaching. These services are provided for both public and private ACM certificates.
A certificate is eligible for automatic renewal subject to the following considerations:
-
ELIGIBLE if associated with another AWS service, such as Elastic Load Balancing or CloudFront.
-
ELIGIBLE if exported since being issued or last renewed.
-
ELIGIBLE if it is a private certificate issued by calling the ACM RequestCertificate API and then exported or associated with another AWS service.
-
ELIGIBLE if it is a private certificate issued through the management console and then exported or associated with another AWS service.
-
NOT ELIGIBLE if it is a private certificate issued by calling the AWS Private CA IssueCertificate API.
-
NOT ELIGIBLE if imported.
-
NOT ELIGIBLE if already expired.
Additionally, the following Punycode
-
Domain names beginning with the pattern "<character><character>--" must match "xn--".
-
Domain names beginning with "xn--" must also be valid Internationalized Domain Names.
Punycode examples | |||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
Domain Name |
Fulfills #1 |
Fulfills #2 |
Allowed |
Note |
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
example.com |
n/a |
n/a |
✓ |
Does not start with "<character><character>--" |
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
a--example.com |
n/a |
n/a |
✓ |
Does not start with "<character><character>--" |
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
abc--example.com |
n/a |
n/a |
✓ |
Does not start with "<character><character>--" |
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
xn--xyz.com |
Yes |
Yes |
✓ |
Valid Internationalized Domain Name (resolves to 简.com) |
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
xn--example.com |
Yes |
No |
✗ |
Not a valid Internationalized Domain Name |
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
ab--example.com |
No |
No |
✗ |
Must start with "xn--" |
When ACM renews a certificate, the certificate's Amazon Resource Name (ARN) remains the same. Also, ACM certificates are regional resources. If you have certificates for the same domain name in multiple AWS Regions, each of these certificates must be renewed independently.