Renew ACM public certificates - AWS Certificate Manager
Renewal for DNS-validated domainsEmail validation

Renew ACM public certificates

When issuing a managed, publicly trusted certificate, AWS Certificate Manager requires you to prove that you are the domain owner. This happens by means of either DNS validation or email validation. When a certificate comes up for renewal, ACM uses the same method that you chose earlier to re-validate your ownership. The following topics describe how the renewal process works in each case.

Renewal for domains validated by DNS

Managed renewal is fully automated for ACM certificates that were originally issued using DNS validation.

At 60 days prior to expiration, ACM checks for the following renewal criteria:

  • The certificate is currently in use by an AWS service.

  • All required ACM-provided DNS CNAME records (one for each unique Subject Alternative Name) are present and accessible via public DNS.

If these criteria are met, ACM considers the domain names validated and renews the certificate.

ACM sends AWS Health events and Amazon EventBridge events when it cannot automatically validate a domain during renewal (for example, because of the presence of CAA record). These events are sent at 45 days, 30 days, 15 days, seven days, three days, and one day prior to expiration. For more information, see Amazon EventBridge support for ACM.

Renewal for email-validated domains

ACM certificates are valid for 13 months (395 days). Renewing a certificate requires action by the domain owner. ACM begins sending renewal notices to the email addresses associated with the domain 45 days before expiration. The notifications contain a link that the domain owner can click for renewal. Once all listed domains are validated, ACM issues a renewed certificate with the same ARN.

For more information about validation email messages, see AWS Certificate Manager email validation

To learn how you can respond programmatically to validation email, see Automate AWS Certificate Manager email validation.

Resend validation email

After you configure email validation for your domain when you request a certificate (see AWS Certificate Manager email validation), you can use the AWS Certificate Manager API to request that ACM send you a domain validation email for your certificate renewal. You should do this in the following circumstances:

  • You used email validation when initially requesting your ACM certificate.

  • Your certificate's renewal status is pending validation. For information about determining a certificate's renewal status, see Check a certificate's renewal status.

  • You didn't receive or can't find the original domain validation email message that ACM sent for certificate renewal.

To send validation emails to a different domain than what you originally configured in your certificate request, you can use the ResendValidationEmail operation in the ACM API, AWS CLI, or AWS SDKs. ACM will send emails to the specified validation domain. You can access the AWS CLI in browser by using AWS CloudShell in supported Regions.

To request that ACM resend the domain validation email message (console)

  1. Open the AWS Certificate Manager console at https://console.aws.amazon.com/acm/home.

  2. Choose the Certificate ID of the certificate that requires validation.

  3. Choose Resend validation email.

To request that ACM resend the domain validation email (ACM API)

Use the ResendValidationEmail operation in the ACM API. In doing so, pass the ARN of the certificate, the domain that requires manual validation, and domain where you want to receive the domain validation emails. The following example shows how to do this with the AWS CLI. This example contains line breaks to make it easier to read.

$ aws acm resend-validation-email \
	--certificate-arn arn:aws:acm:region:account:certificate/certificate_ID \
	--domain subdomain.example.com \
	--validation-domain example.com