セキュリティ

AWS Certificate Manager

A service that provisions, manages, and auto-renews SSL/TLS certificates, enabling free HTTPS on CloudFront and ALB

About 4 min read

Overview

AWS Certificate Manager (ACM) is a service that handles the issuance, management, deployment, and automatic renewal of SSL/TLS certificates. Public certificates issued by ACM are free and can be associated with AWS services such as CloudFront, Elastic Load Balancing, and API Gateway with a single click. After verifying domain ownership through DNS validation or email validation, certificates are automatically issued and renewed before expiration, preventing service outages caused by expired certificates.

Certificate Issuance Flow and How DNS Validation Works

To issue a public certificate with ACM, you first create a request specifying the target domain names (e.g., example.com, *.example.com). You then choose either DNS validation or email validation to prove domain ownership, with DNS validation being strongly recommended. With DNS validation, you simply add a CNAME record specified by ACM to your domain's DNS, and as long as this record exists, automatic certificate renewal is handled seamlessly. If you use Route 53, you can add the CNAME record with a single click from the ACM console. Email validation sends a confirmation email to the domain administrator's address and requires email approval for each renewal, increasing operational overhead. Issuing a wildcard certificate (*.example.com) eliminates the need to manage individual certificates for each subdomain. Certificates issued by ACM are signed by Amazon Trust Services as the Certificate Authority (CA) and are trusted by all major browsers and operating systems. While Let's Encrypt also provides free certificates, ACM has the advantage of seamless integration with AWS services and highly reliable automatic renewal.

Deploying Certificates to AWS Services and Managing Auto-Renewal

Certificates issued by ACM are used by associating them with CloudFront distributions, Application Load Balancers (ALB), Network Load Balancers (NLB), and API Gateway custom domains. A common pitfall is that certificates used with CloudFront must be issued in the us-east-1 region. For ALB and NLB, the standard configuration associates certificates with listeners to perform HTTPS termination at the load balancer. Multiple certificates can be associated with a single listener, with the appropriate certificate automatically selected via SNI (Server Name Indication). For a systematic study of TLS mechanisms and certificate management best practices, books on SSL certificates (Amazon) are a great resource. Auto-renewal begins 60 days before the certificate's expiration date, and if the DNS validation CNAME record is correctly configured, renewal completes without any manual intervention. Renewal status can be monitored through the ACM console or EventBridge events, and it is recommended to set up alerts for renewal failures.

Private Certificates and Using Certificates with EC2

ACM Private CA (Certificate Authority) lets you issue private certificates for internal use within your organization. It covers use cases that public certificates cannot address, such as mTLS (mutual TLS) authentication between microservices, HTTPS for internal systems, and certificate management for IoT devices. Operating a private CA incurs a monthly fee, but the benefit of centrally managing a large number of certificates is significant. You cannot directly use ACM certificates on web servers (Nginx, Apache) running on EC2 instances. To terminate HTTPS on EC2, you need to either place an ALB in front and associate the ACM certificate with the ALB, or use the ACM integration for Nitro Enclaves. For certificate management in CloudFormation, you can declaratively define certificates using the AWS::CertificateManager::Certificate resource, but the DNS validation CNAME record creation must be defined separately as a Route 53 resource. When sharing certificate ARNs across stacks, exporting them to SSM Parameter Store makes cross-region references straightforward.

共有するXB!

Related Terms

Amazon CloudFrontElastic Load BalancingAmazon API GatewayAmazon Route 53AWS KMS

Related Services

Amazon CloudFrontElastic Load BalancingAmazon API GatewayAmazon Route 53

Related Articles

Amazon Route 53 DNS Design - Routing Policies and Health Checks in PracticeAchieve advanced traffic control with alias records and seven routing policies. This article covers multi-region failover design using health checks.Automating SSL/TLS Certificate Management with AWS Certificate Manager - From Issuance to RotationLearn how ACM handles free public certificate issuance, DNS validation, automatic renewal, and deployment to ALB and CloudFront.AWS Availability Zone Design - How Physical Separation and Fault Isolation Create a Reliability AdvantageExamine the design philosophy behind AWS AZs as physically independent data center clusters, compare them with Azure and GCP availability zones, and analyze the differences in fault isolation maturity through real-world incident examples.AWS Global Network Backbone - How Private Submarine Cables and 600+ PoPs Deliver Superior ConnectivityExplore the advantages of AWS's global network built on private submarine cables, dedicated fiber, and 600+ edge locations, compared with GCP's Premium Tier and Azure's network design.The Depth of AWS Networking Services - Enterprise Network Design with VPC, Transit Gateway, and PrivateLinkThis article examines AWS networking services centered on VPC, Transit Gateway, PrivateLink, Direct Connect, and Network Firewall, comparing them with Azure VNet/ExpressRoute and GCP VPC/Cloud Interconnect to explain the flexibility advantages in enterprise network design.

Similar Terms and Articles

Automating SSL/TLS Certificate Management with AWS Certificate Manager - From Issuance to RotationLearn how ACM handles free public certificate issuance, DNS validation, automatic renewal, and deployment to ALB and CloudFront.Certificate Management and HTTPS - Automated TLS Certificate Operations with AWS Certificate ManagerLearn about TLS/SSL certificate issuance, automatic renewal, and deployment using AWS Certificate Manager (ACM). Covers integration with CloudFront, ALB, and API Gateway, DNS validation, and Private CA usage.AWS Certificate ManagerA service that automates provisioning, management, and deployment of SSL/TLS certificatesAWS Private Certificate AuthorityA managed certificate authority service for issuing and managing private certificatesBuilding a Private PKI with AWS Private CA - Automated Certificate Issuance and RotationBuild a private certificate authority and automatically issue mTLS certificates for internal service-to-service communication. Learn about certificate lifecycle management and CRL design.