Skip to main content

Frequently Asked Questions

FAQs about AWS Certificate Manager.

This article applies to: AWS Certificate Manager


Types of Certificates

The following certificate types are available:

  • Single domain
  • Multi-domain
  • Wildcard domain

The following certificate types are not available through AWS, but are available through the InCommon SSL service.

  • Code signing
  • Extended validation (EV)

ACM Certificates Limits

  • Each AWS account is limited to 20 ACM certificates in total.

Who Can Request Amazon Certificate Manager (ACM) Certificates?

To request an ACM certificate, you must have AWS IAM policy AWSCertificateManagerFullAccess or similar.

(If you do not have this access, your AWS account administrator can give it to you. It is separate from other AWS privileges.)

For accounts outside the main Cornell AWS account umbrella

If you AWS account is not under the main Cornell AWS account umbrella, you can use the ACM to request a certificate. AWS will seek approval from the contacts listed for the domain. If the domain has noc@cornell.edu listed as a contact, the IT Service Desk will be able to approve the request.

Certificate Signing Request (CSR) for ACM Certificates

  • ACM does not require Certificate Signing Requests (CSR) when you request a new certificate.

Install, Use, and Renew Certificates

Where to Use ACM Certificates

Amazon Certificate Manager (ACM) certificates can be used with the following Amazon Web Services (AWS) services:

  • AWS Elastic Load Balancing
  • Amazon CloudFront services deployed from AWS accounts

For more information see Amazon's documentation: Services Integrated with AWS Certificate Manager.

ACM certificates cannot be used with non-AWS services.

Cornell also offers SSL/TSL certificates through InCommon. You can use InCommon certificates on AWS EC2 instances just as you would for any server or virtual machine.

Note about Non-Cornell domains: For Cornell.edu domains, the IT Service Desk is the contact for request approvals. (Specifically, the email address noc@cornell.edu is listed as the domain registrant.) You can request certificates for non-Cornell.edu domains, but the approval will most likely not go through the IT Service Desk.

Install and Download Certificate Private Key

ACM certificates do not need to be installed. After approval, you can immediately use the certificate for your domain.

The Certificate Private Key cannot be downloaded. It is managed entirely by AWS.

For more information, see the Amazon documentation:

Renewal and Certificate Validity Period

Certificates from AWS are valid for 13 months.

Certificates are automatically renewed when they meet the AWS criteria for automatic renewal. For more information, see the AWS documentation about Managed Renewal.

If the certificate did not meet the auto-renewal criteria, ACM automatically sends email validation requests to the domain owner in a process similar to the original certificate request.

About this Article

Last updated: 

Monday, July 10, 2017 - 3:53pm

Was this page helpful?

Your feedback helps improve the site.

Comments?