CertTools Logo
CertTools

AWS Certificate Manager Commands

Guide to managing SSL/TLS certificates using AWS Certificate Manager (ACM) through AWS CLI.

← Back to All References

Prerequisites and Setup

Install AWS CLI

Install and configure AWS CLI:

# Install AWS CLI (macOS)
brew install awscli

# Install AWS CLI (Linux)
curl "https://awscli.amazonaws.com/awscli-exe-linux-x86_64.zip" -o "awscliv2.zip"
unzip awscliv2.zip
sudo ./aws/install

# Configure AWS CLI
aws configure
# Enter: AWS Access Key ID, Secret Access Key, Default region, Output format

Set default region

ACM certificates are region-specific:

# Set region for session
export AWS_DEFAULT_REGION=us-east-1

# Or specify region in each command
aws acm list-certificates --region us-east-1

Requesting Certificates

Request public certificate

Request free SSL/TLS certificate from AWS:

# Request certificate for single domain
aws acm request-certificate \
  --domain-name example.com \
  --validation-method DNS

# Request with Subject Alternative Names
aws acm request-certificate \
  --domain-name example.com \
  --subject-alternative-names www.example.com api.example.com \
  --validation-method DNS

# Request wildcard certificate
aws acm request-certificate \
  --domain-name "*.example.com" \
  --subject-alternative-names example.com \
  --validation-method DNS

Email validation method

Use email validation instead of DNS:

aws acm request-certificate \
  --domain-name example.com \
  --validation-method EMAIL

Add tags to certificate

Tag certificates for organization:

aws acm request-certificate \
  --domain-name example.com \
  --validation-method DNS \
  --tags Key=Environment,Value=Production Key=Application,Value=WebServer

Certificate Validation

Get validation records

Retrieve DNS records for validation:

# Get certificate details
aws acm describe-certificate --certificate-arn arn:aws:acm:region:account:certificate/cert-id

# Extract validation records (using jq)
aws acm describe-certificate --certificate-arn arn:aws:acm:region:account:certificate/cert-id \
  | jq -r '.Certificate.DomainValidationOptions[]'

Automated DNS validation with Route53

Script to automatically create validation records:

#!/bin/bash
CERT_ARN="arn:aws:acm:region:account:certificate/cert-id"
HOSTED_ZONE_ID="Z1234567890ABC"

# Get validation records
aws acm describe-certificate --certificate-arn "$CERT_ARN" \
  --query 'Certificate.DomainValidationOptions[].ResourceRecord' \
  --output json | jq -r '.[] | "{\"Name\": \"" + .Name + "\", \"Type\": \"" + .Type + "\", \"Value\": \"" + .Value + "\"}"' | while read record; do

  # Create Route53 record
  aws route53 change-resource-record-sets \
    --hosted-zone-id "$HOSTED_ZONE_ID" \
    --change-batch '{
      "Changes": [{
        "Action": "UPSERT",
        "ResourceRecordSet": {
          "Name": "'$(echo $record | jq -r .Name)'",
          "Type": "'$(echo $record | jq -r .Type)'",
          "TTL": 300,
          "ResourceRecords": [{"Value": "'$(echo $record | jq -r .Value)'"}]
        }
      }]
    }'
done

Listing and Describing Certificates

List all certificates

View all ACM certificates in region:

# List all certificates
aws acm list-certificates

# List with specific status
aws acm list-certificates --certificate-statuses ISSUED

# List expired certificates
aws acm list-certificates --certificate-statuses EXPIRED

# List pending validation
aws acm list-certificates --certificate-statuses PENDING_VALIDATION

Describe certificate details

Get full certificate information:

# Full certificate details
aws acm describe-certificate --certificate-arn arn:aws:acm:region:account:certificate/cert-id

# Get expiration date
aws acm describe-certificate --certificate-arn arn:aws:acm:region:account:certificate/cert-id \
  --query 'Certificate.NotAfter' --output text

# Get domain names
aws acm describe-certificate --certificate-arn arn:aws:acm:region:account:certificate/cert-id \
  --query 'Certificate.SubjectAlternativeNames' --output json

List certificates by tag

Find certificates with specific tags:

# List tags for certificate
aws acm list-tags-for-certificate --certificate-arn arn:aws:acm:region:account:certificate/cert-id

# Find certificates with specific tag (requires scripting)
for cert in $(aws acm list-certificates --query 'CertificateSummaryList[].CertificateArn' --output text); do
  tags=$(aws acm list-tags-for-certificate --certificate-arn $cert --query 'Tags[?Key==`Environment`].Value' --output text)
  if [ "$tags" = "Production" ]; then
    echo $cert
  fi
done

Importing External Certificates

Import third-party certificate

Import certificate from external CA:

# Import certificate with chain
aws acm import-certificate \
  --certificate fileb://certificate.crt \
  --private-key fileb://private-key.pem \
  --certificate-chain fileb://certificate-chain.crt

# Import without chain (self-signed)
aws acm import-certificate \
  --certificate fileb://certificate.crt \
  --private-key fileb://private-key.pem

Reimport/renew imported certificate

Update existing imported certificate:

aws acm import-certificate \
  --certificate-arn arn:aws:acm:region:account:certificate/cert-id \
  --certificate fileb://new-certificate.crt \
  --private-key fileb://private-key.pem \
  --certificate-chain fileb://certificate-chain.crt

Certificate Renewal

Automatic renewal

ACM-issued certificates renew automatically:

# ACM automatically renews certificates if:
# 1. Certificate is associated with AWS resource (ALB, CloudFront, etc.)
# 2. DNS validation records are still in place

# Check renewal eligibility
aws acm describe-certificate --certificate-arn arn:aws:acm:region:account:certificate/cert-id \
  --query 'Certificate.RenewalEligibility' --output text

# Check renewal status
aws acm describe-certificate --certificate-arn arn:aws:acm:region:account:certificate/cert-id \
  --query 'Certificate.RenewalSummary' --output json

Monitor expiring certificates

Check for certificates expiring soon:

#!/bin/bash
# Find certificates expiring in 30 days
THRESHOLD=$(date -d "+30 days" +%s 2>/dev/null || date -v+30d +%s)

aws acm list-certificates --query 'CertificateSummaryList[].CertificateArn' --output text | while read arn; do
  EXPIRY=$(aws acm describe-certificate --certificate-arn $arn --query 'Certificate.NotAfter' --output text)
  EXPIRY_EPOCH=$(date -d "$EXPIRY" +%s 2>/dev/null || date -j -f "%Y-%m-%dT%H:%M:%S" "$EXPIRY" +%s)

  if [ $EXPIRY_EPOCH -lt $THRESHOLD ]; then
    DOMAIN=$(aws acm describe-certificate --certificate-arn $arn --query 'Certificate.DomainName' --output text)
    echo "Certificate for $DOMAIN expires on $EXPIRY"
  fi
done

Using Certificates with AWS Services

Attach to Application Load Balancer

Configure ALB with ACM certificate:

# Add HTTPS listener to ALB
aws elbv2 create-listener \
  --load-balancer-arn arn:aws:elasticloadbalancing:region:account:loadbalancer/app/my-alb/id \
  --protocol HTTPS \
  --port 443 \
  --certificates CertificateArn=arn:aws:acm:region:account:certificate/cert-id \
  --default-actions Type=forward,TargetGroupArn=arn:aws:elasticloadbalancing:region:account:targetgroup/my-targets/id

Attach to CloudFront distribution

Use ACM certificate with CloudFront (must be in us-east-1):

# CloudFront requires certificate in us-east-1 region
# Create distribution with custom SSL certificate
aws cloudfront create-distribution \
  --distribution-config file://distribution-config.json

# distribution-config.json must include:
{
  "ViewerCertificate": {
    "ACMCertificateArn": "arn:aws:acm:us-east-1:account:certificate/cert-id",
    "SSLSupportMethod": "sni-only",
    "MinimumProtocolVersion": "TLSv1.2_2021"
  }
}

Deleting Certificates

Delete certificate

Remove certificate from ACM:

# Delete certificate (must not be in use)
aws acm delete-certificate --certificate-arn arn:aws:acm:region:account:certificate/cert-id

# Check if certificate is in use before deletion
aws acm describe-certificate --certificate-arn arn:aws:acm:region:account:certificate/cert-id \
  --query 'Certificate.InUseBy' --output json

See Also

Google Cloud Certificates
GCP Certificate Manager
Azure Key Vault
Azure certificate management
certbot Commands
Let's Encrypt certificate automation

Important Notes

Free Certificates:

ACM public certificates are free. You only pay for AWS resources that use them (ALB, CloudFront, etc.).

Regional Service:

ACM certificates are region-specific. For CloudFront, certificate MUST be in us-east-1 region.

Cannot Export Private Keys:

ACM-issued certificates cannot be exported with private keys. Use imported certificates if you need exportable keys.

Automatic Renewal:

ACM auto-renews certificates if in use and DNS validation records exist. Monitor renewal status regularly.

Validation Methods:

DNS validation recommended over email. Easier to automate and doesn't require manual email approval.

Wildcard Certificates:

Wildcard certs (*.example.com) don't cover root domain. Request both *.example.com and example.com as SANs.

Usage Restrictions:

ACM certificates can only be used with integrated AWS services (ALB, CloudFront, API Gateway, etc.). Cannot be used with EC2 directly.

Documentation:

AWS ACM docs: docs.aws.amazon.com/acm

AWS CLI ACM reference: docs.aws.amazon.com/cli/latest/reference/acm