Renewing certificates in a private PKI - AWS Certificate Manager
AWS 文档中描述的 AWS 服务或功能可能因区域而异。要查看适用于中国区域的差异,请参阅中国的 AWS 服务入门


Renewing certificates in a private PKI

ACM certificates that were signed by a private CA from ACM Private CA are eligible for managed renewal. Unlike publicly trusted ACM certificates, a certificate for a private PKI requires no validation. Trust is established when an administrator installs the appropriate root CA certificate in client trust stores.


Only certificates obtained using the ACM console or the RequestCertificate action of the ACM API are eligible for managed renewal. Certificates issued directly from ACM Private CA using the IssueCertificate action of the PCA API are not managed by ACM.

When a certificate is 60 days away from expiration, ACM automatically attempts to renew it. This includes certificates that were exported and installed manually (for example, in an on-premises data center). Customers can also force renewal at any time using the RenewCertificate action of the ACM API. For a sample Java implementation of forced renewal, see 续订证书.

After renewal, a certificate's deployment into service occurs in one of the following ways:

  • If the certificate is associated with an ACM integrated service, the new certificate replaces the old one without additional customer action.

  • If the certificate is not associated with an ACM integrated service, customer action is required to export and install the renewed certificate. You can perform these actions manually, or with assistance from AWS 运行状况, Amazon EventBridge, and AWS Lambda as follows:

    1. Create a rule in EventBridge to listen for ACM health events. ACM writes to a health event each time it attempts to renew a certificate. For more information about these notices, see Check the status using Personal Health Dashboard (PHD).

    2. In the EventBridge rule, add a target to invoke Lambda.

    3. In the Lambda function, call the ExportCertificate action of the ACM API.

    4. Complete the renewal process by manually installing the certificate on the target system.