After you request a public certificate you must validate domain ownership, as described in Validate domain ownership for AWS Certificate Manager public certificates.
Public ACM certificates follow the X.509 standard and are subject to the following restrictions:
-
Names: You must use DNS-compliant subject names. For more information, see Domain Names.
-
Algorithm: For encryption, the certificate private key algorithm must be either 2048-bit RSA, 256-bit ECDSA, or 384-bit ECDSA.
-
Expiration: Each certificate is valid for 13 months (395 days).
-
Renewal: ACM attempts to renew a private certificate automatically after 11 months.
Administrators can use ACM Conditional Key Policies to control how end users issue new certificates. These Conditional keys allow restrictions to be placed on domains, validation methods, and other attributes related to a certificate request. If you encounter problems when requesting a certificate, see Troubleshoot certificate requests.
To request a certificate for a private PKI using AWS Private CA, see Request a private certificate in AWS Certificate Manager.
