AWS Certificate Manager provides two services:

  • a fully-managed, pay as you go private CA for provisioning, managing, and deploying certificates across both AWS services and on-premises resources; and
  • automated and cost-free issuing of public certificates for AWS services such as Elastic Load Balancing and API Gateway.

Public certificates

Public certificates issued for AWS for public services are free, with the caveat that you don't get access to the private key and cannot relocate the certificate outside of AWS.

Private CA

Private CA runs a fully-managed certificate authority, which hosts CRLs and OCSP servers.

Certificate management

The private CA allows you to centrally manage all certificates issued below your on-premises root (intermediate) CA. The service can automatically renew certificates as they approach their expiry.

CRLs are issued automatically.


Certificates and private keys are stored securely in HSMs. As with other AWS services, access controls can be defined using IAM policies.


ACM allows you to view audit reports for events, and events are also written to CloudTrail.