aws AWS News Blog ·

AWS Certificate Manager adds ACME support for public TLS certificates

bloginfraawsengineeraws-iam
feature

AWS Certificate Manager (ACM) now supports the Automatic Certificate Management Environment (ACME) protocol for issuing public TLS certificates. This allows organizations to automate certificate renewal and management using existing ACME clients, addressing challenges with shorter certificate validity periods and fragmented visibility. PKI administrators gain centralized control, fine-grained access management via IAM roles, and enhanced monitoring through CloudTrail and CloudWatch. The feature is available now for public certificates issued by Amazon Trust Services.

  • Automated TLS certificate issuance via ACME protocol
  • Granular access control and domain scoping for ACME endpoints
  • Simplified domain validation and certificate request workflow
  • Centralized management and visibility for ACME-issued certificates
  • Support for various certificate key types and client integrations
Features (3)
  • Automated TLS certificate issuance via ACME protocol

    AWS Certificate Manager (ACM) now offers a managed ACME server endpoint, enabling automated issuance and renewal of public TLS certificates using any ACMEv2-compatible client. This supports organizations in managing certificates as validity periods shorten, preventing service disruptions and errors.

  • Granular access control and domain scoping for ACME endpoints

    PKI administrators can now bind IAM roles to ACME accounts for fine-grained access control, limiting which domains clients can request certificates for. Domain scopes can be defined at the endpoint level to enforce organizational policies, enhancing security and control over certificate issuance.

  • Simplified domain validation and certificate request workflow

    ACM simplifies domain validation by automatically creating DNS CNAME records in Route 53 or providing records for manual creation with other DNS providers. External Account Binding (EAB) credentials allow ACME clients to register with the ACME server, enabling certificate requests without direct DNS key management for application owners.

Enhancements (1)
  • Centralized management and visibility for ACME-issued certificates

    ACME support in ACM provides a unified console for managing certificates issued via ACME, ACM console, or API, improving visibility and simplifying PKI administration. Auditability is enhanced through CloudTrail logging, while CloudWatch monitors operational metrics and ACM provides expiry notifications.

Notes (1)
  • Support for various certificate key types and client integrations

    The ACME endpoint supports ECDSA P-256, RSA 2048, and ECDSA P-384 key types. The documentation provides ready-to-use command examples for popular ACME clients like Certbot and acme.sh, facilitating integration with existing workflows.

Read the original announcement →

https://aws.amazon.com/blogs/aws/automate-public-tls-certificate-issuance-with-acme-support-in-aws-certificate-manager/

Related releases