NOW LET US – AI RAG SaaS Studio TP.HCM
NOW LET US
Digital Product Studio
Back to news
CLOUD-INFRA...5 min read

Automate public TLS certificate issuance with ACME support in AWS Certificate Manager

Share
NOW LET US Article – Automate public TLS certificate issuance with ACME support in AWS Certificate Manager

AWS Certificate Manager (ACM) now supports the ACME protocol, allowing organizations to automate the issuance and renewal of public TLS certificates. This feature simplifies certificate lifecycle management and enhances security controls through centralized administration.

Automate public TLS certificate issuance with ACME support in AWS Certificate Manager

If you manage TLS certificates for your applications, you know the challenge: certificates expire, and when they do, your customers see errors or your service goes down. As certificate validity periods get shorter (the Certification Authority (CA)/Browser Forum mandates reduced maximum validity to 100 days starting March 2027, and to 47 days by 2029), manual renewal processes become untenable. You need automation.

Automatic Certificate Management Environment (ACME) is an open protocol for requesting, renewing, and revoking TLS certificates without human intervention. It’s the same protocol behind Let’s Encrypt, and it’s supported by dozens of clients across every platform.

Today we’re announcing ACME support for public certificates in AWS Certificate Manager (ACM). ACM now provides a fully managed ACME server endpoint that works with any ACMEv2-compatible client, such as Certbot, cert-manager for Kubernetes, acme.sh, or any other client you already use. You can issue public TLS certificates from Amazon Trust Services through the standard ACME protocol.

Before today, if you wanted automated certificate management using the ACME protocol, you relied on external certificate authorities alongside ACM, leading to a fragmented visibility experience. Some certificates lived in ACM, others were managed externally with no central dashboard. PKI administrators had limited ability to control who could request certificates or which domains were allowed.

With ACME support in ACM, you can now set up one or more managed ACME endpoint that allows you to centrally manage and monitor ACME certificate usage across your organization.

As a PKI administrator, you get centralized controls that go beyond basic certificate issuance. You can bind IAM roles to ACME accounts for fine-grained access control over which domains each client can request. You can define domain scopes at the endpoint level to enforce organization-wide policies. And you get centralized monitoring and visibility in the same place: AWS CloudTrail logs every certificate request for auditability, Amazon CloudWatch tracks operational metrics, and ACM sends expiry notifications when certificates are approaching renewal. Using ACM, your PKI team can search all certificates, whether issued through the ACM console, an API call, or ACME.

How it works To get started, you first set up a dedicated ACME endpoint, configure authorization controls using External Account Binding (EAB), validate which domains the endpoint can issue certificates for, and point your existing ACME clients to the new endpoint.

The domain validation step is important: it separates who can set up certificate issuance from who can request certificates. The PKI administrator validates domains once at the endpoint level, using DNS credentials that stay with the admin. Application owners who need certificates never touch DNS. They register with an EAB credential, and the endpoint enforces which domains and scopes they’re allowed to request. This means you can distribute certificate automation broadly across your organization without distributing DNS keys along with it.

I start this demo from the ACME certificates page in the AWS Certificate Manager console.

I already have a few endpoints and certificates in this account, I walk you through creating a new one from scratch. First, I select Create ACME endpoint.

I give my endpoint a name. The Endpoint type is Public. ACME clients will connect over the public internet. The Certificate type is Public. The certificate will be issued by Amazon Trust Services and trusted by browsers and operating systems by default. For the certificate key type, I keep the default ECDSA P-256. RSA 2048 and ECDSA P-384 are also available if your clients require them.

Scrolling down, I configure the domain. I enter my domain name and select the domain scope. The scope controls exactly what certificate patterns your ACME clients are allowed to request for this domain. If I check only Exact domain, clients can only request certificates for that specific domain name. Adding Subdomains allows certificates for any subdomain (for example, api.example.com or dev.example.com). Adding Wildcards allows wildcard certificates (*.example.com). By leaving a scope unchecked, you prevent any client using this endpoint from requesting that type of certificate, even if their ACME request is otherwise valid. For a production endpoint, you might enable only Exact domain and Subdomains while leaving Wildcards unchecked to enforce a stricter security posture.

I also select my Amazon Route 53 hosted zone from the drop down menu. ACM then automatically creates the DNS CNAME records needed for domain validation, so I don’t have to do it manually. When my domain is hosted outside of Route 53, I manually create the provided CNAME record at my DNS provider instead. This is a meaningful difference from typical ACME setups where each client handles its own domain verification independently.

These centralized controls give PKI administrators a single place to authenticate domains, restrict which certificate types (ECDSA or RSA) clients can request, and further limit wildcard issuance. Having these governance capabilities built in means you don’t need to purchase a separate certificate lifecycle management product or invest in building a custom policy layer yourself, both of which come at significant cost and operational overhead.

I select Create ACME endpoint

After a few seconds, the endpoint is created. The console shows a Setup progress tracker with the next steps. My domain shows a “Validating” status. The validation method is DNS validation, where ACM verifies that you control the domain by checking for a specific CNAME record. Because I selected my Route 53 hosted zone during creation, I select Create records in Route 53 to let ACM handle the DNS validation automatically.

The validation completes in a few seconds and the status changes to Success.

Now I need to create External Account Binding (EAB) credentials. EAB credentials are a key identifier and HMAC key pair that lets your ACME client register an account with the ACME server. Once registered, the client generates its own asymmetric key pair, which is then used to authenticate all subsequent certificate requests. On the endpoint details page, I select the External account binding tab, then select Create EAB. I give the credential a name and optionally set an expiration time, ideally no longer than needed to complete client registration.

After I select Create EAB credential, the console shows the Key ID and HMAC Key. I note these values because I need them to configure my ACME client. The setup progress now shows four green checkmarks.

I’m ready to request a certificate. On the endpoint details page, I expand the CLI reference section. The console provides ready-to-use command examples for both Certbot and acme.sh. I copy the Certbot command and run it inside a container using the certbot/certbot image.

certbot certonly --standalone --non-interactive --agree-tos \
--email <EMAIL> \
--server https://acm-acme-enroll.us-east-1.api.aws/<ENDPOINT_ID>/directory \
--eab-kid <EAB_KID> \
--eab-hmac-key <EAB_HMAC_KEY> \
--issuance-timeout <ISSUANCE_TIMEOUT> \
-d <DOMAIN>

I replace the placeholders with my endpoint URL, EAB credentials, and domain name. The --eab-kid and --eab-hmac-key arguments are how Certbot registers with your ACME endpoint using the External Account Binding credentials I generated earlier. Each ACME client has its own syntax for this step, so check your client’s documentation for the exact flags.

Certbot contacts the ACME endpoint and returns a valid certificate signed by Amazon Trust Services.

I use openssl to view the certificate before installing it.

© 2026 Now Let Us. All rights reserved.

Source: AWS News Blog

Advertisement
Ad slot ready: 5887729102

More in this category

NOW LET US Related – Accelerate your infrastructure deployments by up to 4x with AWS CloudFormation Express mode

cloud-infra

Accelerate your infrastructure deployments by up to 4x with AWS CloudFormation Express mode

AWS has announced CloudFormation Express mode, a new deployment option that speeds up infrastructure provisioning by up to 4x by bypassing extended stabilization checks. This mode is ideal for iterative development and AI-assisted workflows where rapid feedback is crucial.

NOW LET US Related – Amazon EC2 C9g and C9gd instances powered by AWS Graviton5 processors are now available

cloud-infra

Amazon EC2 C9g and C9gd instances powered by AWS Graviton5 processors are now available

Amazon Web Services (AWS) has announced the general availability of Amazon EC2 C9g and C9gd instances, powered by the latest AWS Graviton5 processors. These compute-optimized instances deliver up to 25% higher performance and feature the fastest memory in the cloud to support demanding workloads like agentic AI and real-time analytics.

NOW LET US Related – Run isolated sandboxes with full lifecycle control: AWS Lambda introduces MicroVMs

cloud-infra

Run isolated sandboxes with full lifecycle control: AWS Lambda introduces MicroVMs

AWS has announced AWS Lambda MicroVMs, a new serverless compute primitive that allows developers to run user- or AI-generated code in isolated, stateful environments with virtual machine-level security and near-instant startup times.

NOW LET US Related – AWS Weekly Roundup: NY Summit recap, Local Zone in Hanoi, Grok 4.3 in Bedrock, price reductions, and more (June 22, 2026)

cloud-infra

AWS Weekly Roundup: NY Summit recap, Local Zone in Hanoi, Grok 4.3 in Bedrock, price reductions, and more (June 22, 2026)

AWS Weekly Roundup highlights the launch of a new Local Zone in Hanoi, the integration of xAI's Grok 4.3 into Amazon Bedrock, major Agentic AI announcements from the NY Summit, and significant price reductions.

NOW LET US Related – Amazon ECS introduces new high-resolution metrics for faster service auto scaling

cloud-infra

Amazon ECS introduces new high-resolution metrics for faster service auto scaling

Amazon ECS now supports high-resolution (20-second) metrics for service auto scaling, reducing scale-out trigger times by up to 76%. This update helps applications respond faster to traffic spikes while optimizing compute costs.

NOW LET US Related – Top announcements of the AWS Summit in New York, 2026

cloud-infra

Top announcements of the AWS Summit in New York, 2026

At the AWS Summit in New York 2026, AWS unveiled major updates focused on Agentic AI, including Amazon Bedrock AgentCore enhancements, AWS Continuum for automated security, and EC2 G7 instances powered by NVIDIA Blackwell GPUs.

EXPLORE TOPICS

Discover All Categories

Deep dive into the specific technology sectors that matter most to you.