Managed renewal for ACM certificates - Amazon Certificate Manager
Services or capabilities described in Amazon Web Services documentation might vary by Region. To see the differences applicable to the China Regions, see Getting Started with Amazon Web Services in China (PDF).

Managed renewal for ACM certificates

ACM provides managed renewal for your Amazon-issued SSL/TLS certificates. This means that ACM will either renew your certificates automatically (if you are using DNS validation), or it will send you email notices when expiration is approaching. These services are provided for both public and private ACM certificates.

A certificate is eligible for automatic renewal subject to the following considerations:

  • ELIGIBLE if associated with another Amazon service, such as Elastic Load Balancing or CloudFront.

  • ELIGIBLE if exported since being issued or last renewed.

  • NOT ELIGIBLE if imported.

  • NOT ELIGIBLE if already expired.

Additionally, the following Punycode requirements relating to Internationalized Domain Names must be fulfilled:

  1. Domain names beginning with the pattern "<character><character>--" must match "xn--".

  2. Domain names beginning with "xn--" must also be valid Internationalized Domain Names.

Punycode examples

Domain Name

Fulfills #1

Fulfills #2

Allowed

Note

example.com

n/a

n/a

Does not start with "<character><character>--"

a--example.com

n/a

n/a

Does not start with "<character><character>--"

abc--example.com

n/a

n/a

Does not start with "<character><character>--"

xn--xyz.com

Yes

Yes

Valid Internationalized Domain Name (resolves to 简.com)

xn--example.com

Yes

No

Not a valid Internationalized Domain Name

ab--example.com

No

No

Must start with "xn--"

When ACM renews a certificate, the certificate's Amazon Resource Name (ARN) remains the same. Also, ACM certificates are regional resources. If you have certificates for the same domain name in multiple Amazon Regions, each of these certificates must be renewed independently.

Topics