Types of Certificates

The following certificate types are available:

• Single domain
• Multi-domain
• Wildcard domain

The following certificate types are not available through AWS, but are available through the InCommon SSL service.

• Code signing
• Extended validation (EV)

ACM Certificates Limits

• Each AWS account has a default limit of to 2500 ACM certificates in total.
• The default domain limit per certificate is 10 domains but can be increased to 100.
• More details are provided in ACM documentation.

Who Can Request Amazon Certificate Manager (ACM) Certificates?

To request an ACM certificate, you must have AWS IAM policy AWSCertificateManagerFullAccess or similar.

If you do not have this access, your AWS account administrator can give it to you. It is separate from other AWS privileges.

For Accounts Outside the Main Cornell AWS Organization

Any AWS account can request DNS-validated ACM certificates for cornell.edu domains.

Certificate Signing Request (CSR) for ACM Certificates

• ACM does not require Certificate Signing Requests (CSR) when you request a new certificate.

Install, Use, and Renew Certificates

Where to Use ACM Certificates

Amazon Certificate Manager (ACM) certificates can be used with the following Amazon Web Services (AWS) services:

• Elastic Load Balancing
• Amazon CloudFront
• Amazon Cognito
• AWS Elastic Beanstalk
• AWS App Running
• Amazon API Gateway
• AWS Nitro Enclaves
• AWS CloudFormation
• AWS Amplify
• Amazon OpenSearch Service
• AWS Network Firewall

For more information see Amazon’s documentation about Services Integrated with AWS Certificate Manager.

ACM certificates cannot be used with non-AWS services.

Cornell also offers TSL certificates through InCommon. You can use InCommon certificates on AWS EC2 instances just as you would for any server or virtual machine.

• It is possible to import existing InCommon certificates and manage them through ACM. However, AWS cannot renew such certificates.

Domains Supported

You can use ACM to create a certificate request for any domain. If the request is for a domain served by Cornell’s DNS database:

• the DNS records required for validation of the certificate must be added to the Cornell DNS database.
• Cornell will not approve requests for email-validated certificates.

If the request is for a domain not served by Cornell’s DNS database, it is up to the domain owner to determine whether DNS- or email-based validation will be supported. You should discuss this with the domain owner.

Install and Download Certificate Private Key

ACM certificates do not need to be installed. After approval, you can immediately use the certificate for your domain by configuring a supported AWS service to use it.

The Certificate Private Key cannot be downloaded. It is managed entirely by AWS.

Renewal and Certificate Validity Period

Certificates from AWS are valid for 13 months.

Certificates are automatically renewed when they meet the AWS criteria for automatic renewal. In general, the certificate must be in use and the DNS records used for validation must still be in place. For more information, see the AWS documentation about Managed Renewal.