Frequently Asked Questions
FAQs about AWS Certificate Manager.
This article applies to: AWS Certificate Manager
Types of Certificates
The following certificate types are available:
- Single domain
- Wildcard domain
The following certificate types are not available through AWS, but are available through the InCommon SSL service.
- Code signing
- Extended validation (EV)
ACM Certificates Limits
- Each AWS account is limited to 20 ACM certificates in total.
Who Can Request Amazon Certificate Manager (ACM) Certificates?
To request an ACM certificate, you must have AWS IAM policy AWSCertificateManagerFullAccess or similar.
(If you do not have this access, your AWS account administrator can give it to you. It is separate from other AWS privileges.)
For accounts outside the main Cornell AWS account umbrella
If you AWS account is not under the main Cornell AWS account umbrella, you can use the ACM to request a certificate. AWS will seek approval from the contacts listed for the domain. If the domain has email@example.com listed as a contact, the IT Service Desk will be able to approve the request.
Certificate Signing Request (CSR) for ACM Certificates
- ACM does not require Certificate Signing Requests (CSR) when you request a new certificate.
Install, Use, and Renew Certificates
Where to Use ACM Certificates
Amazon Certificate Manager (ACM) certificates can be used with the following Amazon Web Services (AWS) services:
- AWS Elastic Load Balancing
- Amazon CloudFront services deployed from AWS accounts
For more information see Amazon's documentation: Services Integrated with AWS Certificate Manager.
ACM certificates cannot be used with non-AWS services.
Cornell also offers SSL/TSL certificates through InCommon. You can use InCommon certificates on AWS EC2 instances just as you would for any server or virtual machine.
- It is not possible to import existing InCommon certificates and manage them through ACM.
- You can upload certificates into AWS IAM and use them with some AWS services.
Install and Download Certificate Private Key
ACM certificates do not need to be installed. After approval, you can immediately use the certificate for your domain.
The Certificate Private Key cannot be downloaded. It is managed entirely by AWS.
For more information, see the Amazon documentation:
- Elastic Load Balancer: Create an SSL Certificate Using AWS Certificate Manager
- Amazon Cloud Front: Getting Started
- ACM Private Key Security
Renewal and Certificate Validity Period
Certificates from AWS are valid for 13 months.
Certificates are automatically renewed when they meet the AWS criteria for automatic renewal. For more information, see the AWS documentation about Managed Renewal.
If the certificate did not meet the auto-renewal criteria, ACM automatically sends email validation requests to the domain owner in a process similar to the original certificate request.