Amazon Web Services adds ACME support to Certificate Manager
Wed, 1st Jul 2026 (Today)
Amazon Web Services has added ACME support for public certificates in AWS Certificate Manager, allowing customers to issue and renew public TLS certificates through the standard ACME protocol.
The addition comes as certificate validity periods are set to shorten under CA/Browser Forum rules, with the maximum validity due to fall to 100 days and then 47 days.
ACME, or Automatic Certificate Management Environment, is an open protocol used to request, renew, and revoke TLS certificates without manual intervention. It is widely used across web infrastructure and supported by clients including Certbot, cert-manager for Kubernetes, and acme.sh.
Customers can now use any ACMEv2-compatible client with a managed ACME server endpoint in AWS Certificate Manager. Public certificates are issued through Amazon Trust Services.
Until now, organisations that wanted to automate certificate management with ACME often used external certificate authorities alongside AWS Certificate Manager. That left some certificates visible in ACM while others were managed elsewhere, creating separate oversight and policy controls.
The new feature is intended to centralise that work in ACM. PKI teams can create one or more ACME endpoints, set domain restrictions at the endpoint level, and decide which domains each client may request certificates for.
AWS is also tying those controls to its identity and monitoring services. IAM roles can be bound to ACME accounts through External Account Binding, while AWS CloudTrail logs certificate requests and Amazon CloudWatch tracks operational metrics. ACM also sends expiry notifications for certificates nearing renewal.
How it works
Setup begins with the creation of a dedicated ACME endpoint for public certificates. Administrators then validate the domains that endpoint is allowed to issue certificates for and create External Account Binding credentials for the ACME client.
That structure separates domain validation from certificate requests. In practice, a PKI administrator validates a domain once at the endpoint level, while application owners use the ACME client to request certificates without handling DNS credentials themselves.
This allows organisations to extend certificate automation across teams without distributing DNS keys. Domain scope can also be limited so an endpoint allows only exact domain names, subdomains, or wildcard certificates, depending on internal policy.
When a domain is hosted in Route 53, ACM can automatically create the DNS CNAME records used for validation. If the domain is managed by another DNS provider, the records must be created manually.
Administrators can also limit which key types clients may request. Supported options include ECDSA P-256, RSA 2048, and ECDSA P-384.
Operational shift
The change extends ACM beyond console- and API-based certificate issuance into a workflow already used by infrastructure teams and open source tooling. That could make it easier for organisations to keep existing ACME-based automation while moving certificate governance into AWS.
The issue of certificate lifecycle management has become more pressing as browser and certificate authority policies shorten validity periods. Shorter lifetimes reduce the feasibility of manual renewals and raise the operational risk of expired certificates disrupting websites and applications.
Within ACM, certificates issued through ACME appear alongside those issued through the console or API, giving PKI teams one place to search across all of them.
Availability and pricing
ACME support for public certificates in AWS Certificate Manager is available in all commercial AWS Regions. Support for AWS GovCloud (US), the China Regions, and the AWS European Sovereign Cloud will follow later.
Pricing is charged per domain included in a certificate at the time of issuance, with separate pricing for fully qualified domain names and wildcard entries. Monthly volume tiers are calculated from the total number of domain occurrences across all certificates issued in an account.
The update gives AWS customers a native option for standards-based certificate automation inside the company's certificate management service, at a time when shorter certificate lifecycles are pushing more organisations towards automated renewal processes.