AWS Certificate Manager (ACM)

AWS Certificate Manager (ACM) is Amazon's managed PKI service that provides free SSL/TLS certificates for use with AWS services like CloudFront, ALB (Application Load Balancer), API Gateway, and CloudFront. ACM certificates are free to use but can only be deployed on AWS managed services — you cannot export the private key.

Key Characteristics of ACM Certificates

• Free: No charge for public certificates used with AWS services
• Auto-renewal: ACM renews certificates automatically before they expire
• No private key access: ACM manages the private key — you cannot download it. For non-AWS use, you need an imported certificate.
• DV only for public certs: ACM public certificates are Domain Validation

Identifying ACM Certificates

ACM certificates are issued by Amazon's own CA infrastructure. The issuer shows O: Amazon with intermediates like CN: Amazon RSA 2048 M01 or CN: Amazon ECDSA 256 M01. The trust chain ultimately goes up to the Amazon Root CA certificates (Amazon Root CA 1–4) which themselves cross-certify under the Starfield Services Root.

ACM Private CA

ACM also offers Private CA (ACM PCA), a managed private Certificate Authority for issuing internal certificates. Private CA certificates chain to your own private root and will show as untrusted in browsers unless you deploy your root to client trust stores.