AWS Certificate Manager Adds ACME Protocol Support
The managed service now offers automated certificate issuance through industry-standard protocol, with centralized controls for PKI administrators.

AWS Certificate Manager Adds ACME Protocol Support
AWS Certificate Manager (ACM) now supports the Automatic Certificate Management Environment (ACME) protocol for public TLS certificates, enabling organizations to automate certificate issuance through the same open standard that powers Let's Encrypt.
The addition addresses a growing operational challenge: certificate validity periods are shrinking. The Certification Authority/Browser Forum will reduce maximum validity to 100 days by March 2027 and 47 days by 2029, making manual renewal processes impractical at scale.
ACM's implementation provides a fully managed ACME server endpoint compatible with any ACMEv2 client, including Certbot, cert-manager for Kubernetes, and acme.sh. Organizations can now issue certificates from Amazon Trust Services through standard ACME workflows while maintaining centralized visibility and control.
Why it matters
Before this capability, organizations using ACME for automation typically relied on external certificate authorities alongside ACM, creating fragmented visibility. PKI administrators had limited control over who could request certificates or which domains were permitted. The new ACME support consolidates certificate management into a single platform with enterprise governance features that would otherwise require separate lifecycle management products or custom policy layers.
Centralized governance with distributed automation
The implementation separates domain validation from certificate requests. PKI administrators validate domains once at the endpoint level using DNS credentials that remain with the admin team. Application owners who need certificates never access DNS directly. Instead, they register using External Account Binding (EAB) credentials, and the endpoint enforces which domains and certificate types they can request.
Administrators can bind IAM roles to ACME accounts for fine-grained access control. Domain scopes defined at the endpoint level enforce organization-wide policies, such as restricting wildcard certificate issuance or limiting requests to specific subdomains. AWS CloudTrail logs every certificate request for audit purposes, while Amazon CloudWatch tracks operational metrics and ACM sends expiry notifications.
Configuration and workflow
Setting up an ACME endpoint involves creating the endpoint in the ACM console, configuring domain validation through Route 53 or manual DNS records, and generating EAB credentials for client registration. The console provides ready-to-use command examples for popular ACME clients.
Once configured, clients use standard ACME protocol commands with the endpoint URL and EAB credentials. Certificates issued through ACME appear in the ACM console alongside those created through the console or API, providing unified visibility across all issuance methods.
Availability and pricing
The capability is available in all commercial AWS Regions, with AWS GovCloud (US), China Regions, and AWS European Sovereign Cloud support planned for later release. Pricing is per domain included in each certificate at issuance time, with volume tiers based on total domain occurrences across all certificates issued monthly per account. Separate pricing applies for fully qualified domain names versus wildcards.
These details were first reported by AWS in their official blog announcement.
This is an original analysis by the Omega editorial team. Source reporting: Automation Watch.
Want systems like this working for your business?
Book a Call
