AWS Security Blog

Top reasons to import a certificate into AWS Certificate Manager (ACM)

October 18, 2022: This blog post was updated and the title was changed to reflect the updated info.

AWS Certificate Manager (ACM) is a service that lets you efficiently provision, manage, and deploy public and private SSL/TLS certificates for use with AWS services and your internal connected resources.

Public certificates that you request through ACM are obtained from Amazon Trust Services (ATS), which is an Amazon managed public certificate authority (CA). Public certificates issued by ACM are free and are obtained through ATS, which is an Amazon-managed certificate authority. Private certificates are issued through certificate authorities created using AWS Private Certificate Authority (AWS Private CA). You can use the ACM console, AWS CLIs, or the APIs to request private certificates from private CAs.

Requesting certificates from ACM provides an easy mechanism to request and distribute certificates to integrated services like Application Load Balancer, and ACM will automatically renew certificates before they expire. So why might you want to import a certificate into ACM, rather than using a certificate issued by ACM?

To use and monitor certificates issued outside of ACM

If you need to use certificates from a specific CA for internal compliance reasons, you need to provision these third-party certificates and then import them into ACM. For more information on the prerequisites for importing a certificate to ACM, and the types of certificates supported, visit the ACM User Guide.

Additionally, if you need to use organization validation (OV) or extended validation (EV) certificates for internal compliance reasons, you can import OV or EV certificates into ACM by using a third-party certificate of either type. You can use the ACM API action ImportCertificate to import OV or EV certificates into ACM. Currently, ACM only issues domain-validated certificates.

You can monitor the expiration of these certificates through ACM. ACM will send you daily expiration events for all active certificates (public, private, and imported) starting 45 days prior to expiration. You can configure this timing using the ACM console or using the ACM API PutAccountConfiguration.

ACM automatically initiates renewal of eligible certificates that it issued, but for imported certificates, you need to re-issue and re-import prior to expiration to avoid outages. For more information, see Reimporting a certificate.

To use customized, private certificates issued by AWS Private CA

If you are using self-signed certificates, using private certificates is your best course of action. ACM by default will let you issue RSA 2048 private certificates, which are valid for 13 months. If you need private certificates outside of the default certificates, you will need to obtain these certificates via the IssueCertificate API action. Certificates provisioned with the IssueCertificate API action cannot be associated directly with an ACM integrated service, such as an internal Application Load Balancer. Instead, a private certificate issued by AWS Private Certificate Authority (AWS Private CA), with the IssueCertificate API action, needs to be exported and then imported into ACM before the association can be made. The same is true if you need to use custom certificate templates, which are configuration templates that can be passed as parameters to the IssueCertificate API action as a means to have greater control over the private certificate’s extensions.


In this blog post, you learned about some of the reasons, use cases, and explanations for importing a certificate into AWS Certificate Manager (ACM). For more information about importing certificates into ACM, and to see step-by-step instructions, visit Importing certificates into AWS Certificate Manager in the AWS Certificate Manager User Guide.

If you have feedback about this post, submit comments in the Comments section below. If you have questions about this post, start a new thread on the AWS Certificate Manager forum or contact AWS Support.

Want more AWS Security news? Follow us on Twitter.

Nicholas Doropoulos

Nicholas Doropoulos

Nicholas is a Cloud Security Engineer II, Bestselling Udemy Instructor, AWS Shield, GuardDuty and Certificate Manager SME. In his spare time, he enjoys creating tools, practising his OSINT skills by participating in Search Party CTFs for missing people and registering Google Dorks in Offensive Security’s Google Hacking Database.