ACM
AWS Certificate Manager provides two services:
- a fully-managed, pay as you go private CA for provisioning, managing, and deploying certificates across both AWS services and on-premises resources; and
- automated and cost-free issuing of public certificates for AWS services such as Elastic Load Balancing and API Gateway.
Public certificates
Public certificates issued for AWS for public services are free, with the caveat that you don't get access to the private key and cannot relocate the certificate outside of AWS.
Private CA
Private CA runs a fully-managed certificate authority, which hosts CRLs and OCSP servers.
Certificate management
The private CA allows you to centrally manage all certificates issued below your on-premises root (intermediate) CA. The service can automatically renew certificates as they approach their expiry.
CRLs are issued automatically.
Security
Certificates and private keys are stored securely in HSMs. As with other AWS services, access controls can be defined using IAM policies.
Auditing
ACM allows you to view audit reports for events, and events are also written to CloudTrail.