AWS Certificate Manager adds ACME support for public TLS certificates
AWS Certificate Manager (ACM) now supports the Automatic Certificate Management Environment (ACME) protocol for issuing public TLS certificates. This allows organizations to automate certificate renewal and management using existing ACME clients, addressing challenges with shorter certificate validity periods and fragmented visibility. PKI administrators gain centralized control, fine-grained access management via IAM roles, and enhanced monitoring through CloudTrail and CloudWatch. The feature is available now for public certificates issued by Amazon Trust Services.
- →Automated TLS certificate issuance via ACME protocol
- →Granular access control and domain scoping for ACME endpoints
- →Simplified domain validation and certificate request workflow
- →Centralized management and visibility for ACME-issued certificates
- →Support for various certificate key types and client integrations
Features (3) ›
- Automated TLS certificate issuance via ACME protocol
AWS Certificate Manager (ACM) now offers a managed ACME server endpoint, enabling automated issuance and renewal of public TLS certificates using any ACMEv2-compatible client. This supports organizations in managing certificates as validity periods shorten, preventing service disruptions and errors.
- Granular access control and domain scoping for ACME endpoints
PKI administrators can now bind IAM roles to ACME accounts for fine-grained access control, limiting which domains clients can request certificates for. Domain scopes can be defined at the endpoint level to enforce organizational policies, enhancing security and control over certificate issuance.
- Simplified domain validation and certificate request workflow
ACM simplifies domain validation by automatically creating DNS CNAME records in Route 53 or providing records for manual creation with other DNS providers. External Account Binding (EAB) credentials allow ACME clients to register with the ACME server, enabling certificate requests without direct DNS key management for application owners.
Enhancements (1) ›
- Centralized management and visibility for ACME-issued certificates
ACME support in ACM provides a unified console for managing certificates issued via ACME, ACM console, or API, improving visibility and simplifying PKI administration. Auditability is enhanced through CloudTrail logging, while CloudWatch monitors operational metrics and ACM provides expiry notifications.
Notes (1) ›
- Support for various certificate key types and client integrations
The ACME endpoint supports ECDSA P-256, RSA 2048, and ECDSA P-384 key types. The documentation provides ready-to-use command examples for popular ACME clients like Certbot and acme.sh, facilitating integration with existing workflows.
https://aws.amazon.com/blogs/aws/automate-public-tls-certificate-issuance-with-acme-support-in-aws-certificate-manager/
Related releases
- Build Stateful IT Service Desk Agent with LangGraph on EKS AWS Open Source Blog ·
- Amazon DocumentDB added as a skill to AWS Agent Toolkit AWS What's New ·
- Amazon EMR on EKS adds Apache Spark troubleshooting agent AWS What's New ·
- AWS MCP Server adds OAuth support for AI agent connections AWS What's New ·
- AWS Config adds 191 managed rules for AI and core services AWS What's New ·
- SageMaker Studio adds data lineage for IAM-based domains AWS What's New ·