Why is my ACM certificate marked as ineligible for renewal?

Short description

ACM certificates might be ineligible for renewal if any of the following are true:

• The certificate isn't associated with another AWS service.
• The certificate is expired.
• The certificate is imported.
• It's a private certificate issued with the IssueCertificate API call.

Resolution

Follow these instructions for your use case.

Before you begin, use the ACM console or the AWS Command Line Interface (AWS CLI) to list detailed metadata about your certificates.

Note: If you receive errors when running AWS CLI commands, make sure that you're using the most recent version of the AWS CLI.

The certificate isn't associated with another AWS service

ACM certificates must be associated with another AWS service such as Elastic Load Balancing.

If the certificate details metadata In use? value is No, then this means that your ACM certificate isn't associated with an AWS service.

For a list of supported AWS services with ACM, see Services integrated with AWS Certificate Manager.

The certificate is expired

Expired certificates aren't eligible for renewal. If the certificate is expired, you can request a new certificate.

For more information, see Check a certificate's renewal status.

The certificate is imported

ACM doesn't provide managed renewal for imported certificates. To renew an imported certificate, request a new certificate from your certificate issuer. Then, follow the instructions to manually reimport the certificate into ACM.

Private certificate issued with the IssueCertificate API call

ACM doesn't manage the renewal of private certificates issued through the ACM Private CA IssueCertificate API. You can request a new certificate before the certificates expiration date from your CA.

For more information, see Managed renewal for ACM certificates.

Related information

Troubleshooting certificate validation

Issuing and managing certificates