Renewing certificates in a private PKI - AWS Certificate Manager

Renewing certificates in a private PKI

ACM certificates that were signed by a private CA from ACM Private CA are eligible for managed renewal. Unlike publicly trusted ACM certificates, a certificate for a private PKI requires no validation. Trust is established when an administrator installs the appropriate root CA certificate in client trust stores.


Only certificates obtained using the ACM console or the RequestCertificate action of the ACM API are eligible for managed renewal. Certificates issued directly from ACM Private CA using the IssueCertificate action of the PCA API are not managed by ACM.

When a certificate is 60 days away from expiration, ACM automatically attempts to renew it. This includes certificates that were exported and installed manually (for example, in an on-premises data center). Customers can also force renewal at any time using the RenewCertificate action of the ACM API. For a sample Java implementation of forced renewal, see Renewing a certificate.

After renewal, a certificate's deployment into service occurs in one of the following ways:

  • If the certificate is associated with an ACM integrated service, the new certificate replaces the old one without additional customer action.

  • If the certificate is not associated with an ACM integrated service, customer action is required to export and install the renewed certificate. You can perform these actions manually, or with assistance from AWS Health, Amazon EventBridge, and AWS Lambda as follows:

    1. Create a rule in EventBridge to listen for ACM health events. ACM writes to a health event each time it attempts to renew a certificate. For more information about these notices, see Check the status using Personal Health Dashboard (PHD).

    2. In the EventBridge rule, add a target to invoke Lambda.

    3. In the Lambda function, call the ExportCertificate action of the ACM API.

    4. Complete the renewal process by manually installing the certificate on the target system.