AWS Certificate Manager (ACM) Study Guide

AWS Certificate Manager (ACM) is a service that lets you easily provision, manage, and deploy public and private Secure Sockets Layer/Transport Layer Security (SSL/TLS) certificates for use with AWS services and your internal connected resources. It removes the manual process of purchasing, uploading, and renewing SSL/TLS certificates.

Real-World Analogy: Think of ACM as a Digital Passport Office. It doesn’t just issue your passport (SSL Cert); it also tracks the expiration date and automatically sends you a new one in the mail before the old one expires, ensuring you never get stuck at the border (website downtime).

Core Concepts & Configuration

1. Public vs. Private Certificates

ACM provides two main types of certificates. For most SAA-C03 scenarios, you will be dealing with Public certificates used for internet-facing applications.

  • Public Certificates: Issued by Amazon’s Certificate Authority (CA). These are trusted by browsers and are free.
  • Private Certificates: Used for internal communication within an organization. Requires AWS Private CA, which incurs a monthly fee per CA plus a cost per certificate.

2. Validation Methods

Before ACM issues a certificate, you must prove you own the domain. There are two ways:

  • DNS Validation (Recommended): You add a CNAME record to your DNS configuration (Route 53 makes this a one-click process). Managed renewal is automatic as long as the record stays in place.
  • Email Validation: AWS sends emails to the domain owner. You must manually click a link. This is less ideal as you must repeat the process for every renewal.

3. Key Integrations

ACM certificates are not installed directly on EC2 instances. Instead, they are deployed to “front-door” services:

  • Elastic Load Balancing (ALB/NLB): Terminate HTTPS traffic at the load balancer.
  • Amazon CloudFront: For global content delivery. Note: Certificates must be in the us-east-1 region to work with CloudFront.
  • Amazon API Gateway: For custom domain names on your APIs.
  • AWS App Runner: For containerized web applications.

Comparison: Public vs. Private CA

Feature ACM Public Certificates AWS Private CA
Cost Free Paid (Monthly fee + per cert)
Trust Publicly trusted by browsers Private trust (internal only)
Renewal Fully Managed/Automatic Managed or Manual
Exportable No (Private keys stay in ACM) Yes (Can be exported for EC2/On-prem)

Exam Tips and Gotchas

  • The CloudFront Rule: To use an ACM certificate with CloudFront, you must request or import the certificate in the US East (N. Virginia) / us-east-1 region.
  • No Direct EC2 Install: You cannot download the private key of a public ACM certificate to install it directly on an Apache or Nginx server on EC2. You must use an ALB or CloudFront in front of the EC2.
  • Managed Renewal: DNS validation is superior for automation. If using Email validation, if the admin ignores the email, the cert expires and the site goes down.
  • Imported Certificates: You can import 3rd party certificates into ACM, but ACM does not automatically renew imported certificates. You are responsible for monitoring and re-importing.

Decision Matrix / If–Then Guide

  • If you need a free SSL cert for a public website on ALB… Then use ACM Public Cert with DNS Validation.
  • If you need SSL for CloudFront… Then request the ACM cert in us-east-1.
  • If you need to use SSL on a private backend server not behind a Load Balancer… Then use AWS Private CA (Exportable).
  • If you need to manage certificates for 3rd party apps on-premises… Then use AWS Private CA.

Topics covered:

Summary of key subtopics covered in this guide:

  • Public vs. Private Certificate Authorities (CA).
  • DNS vs. Email Domain Validation.
  • Regional constraints for CloudFront (us-east-1).
  • Managed renewal processes and limitations.
  • Integrations with ALB, API Gateway, and CloudFront.
  • The inability to export public certificate private keys.

AWS Certificate Manager (ACM) Architecture

Domain Owner ACM Provision & Renew CloudFront (Global) ALB (Regional)
Service Ecosystem

Integrations: Seamlessly works with ELB, CloudFront, API Gateway, and CloudFormation. Security: Integrated with AWS KMS for encryption of certificate private keys.

Performance & Scaling

Automation: ACM handles the heavy lifting of rotating keys. Latency: No performance hit on the application since SSL termination happens at the AWS infrastructure edge (ALB/CloudFront).

Cost Optimization

Public Certs: $0 cost. Highly recommended for all public web traffic. Private CA: Use sparingly for internal-only compliance requirements to minimize CA monthly fees.

Production Use Case

A SaaS company hosts a multi-tenant application. They use ACM with DNS validation and Route 53 to manage hundreds of subdomains. By using wildcard certificates (e.g., *.example.com), they secure all customer subdomains with a single ACM resource that renews automatically, ensuring zero downtime due to expired certificates.

Leave a Comment

Your email address will not be published. Required fields are marked *

Scroll to Top