AWS Certificate Manager public certificates

After you request a public certificate you must validate domain ownership, as described in Validate domain ownership for AWS Certificate Manager public certificates.

Public ACM certificates follow the X.509 standard and are subject to the following restrictions:

Names: You must use DNS-compliant subject names. For more information, see Domain Names.
Algorithm: For encryption, the certificate private key algorithm must be either 2048-bit RSA, 256-bit ECDSA, or 384-bit ECDSA.
Expiration: Each certificate is valid for 13 months (395 days).
Renewal: ACM attempts to renew a public certificate automatically after 11 months.

Note

Public ACM certificates can be installed on Amazon EC2 instances that are connected to a Nitro Enclave. You can also export a public certificate to use on any Amazon EC2 instance. For information about setting up a standalone web server on an Amazon EC2 instance not connected to a Nitro Enclave, see Tutorial: Install a LAMP web server on Amazon Linux 2 or Tutorial: Install a LAMP web server with the Amazon Linux AMI.

Administrators can use ACM Conditional Key Policies to control how end users issue new certificates. These Conditional keys allow restrictions to be placed on domains, validation methods, and other attributes related to a certificate request. If you encounter problems when requesting a certificate, see Troubleshoot certificate requests.

To request a certificate for a private PKI using AWS Private CA, see Request a private certificate in AWS Certificate Manager.

Topics

Warning Javascript is disabled or is unavailable in your browser.

To use the Amazon Web Services Documentation, Javascript must be enabled. Please refer to your browser's Help pages for instructions.

Document Conventions

Set up

Characteristics and limitations