Issuing certificates through ACME
After your PKI administrator sets up an ACME endpoint with domain validations and external account bindings, application owners can use ACME clients to issue certificates. This section describes the issuance flow, provides a brief example using Certbot, and explains how ACME-issued certificates appear in ACM.
How issuance works
The ACME certificate issuance flow follows the RFC 8555 protocol:
-
Account registration: The ACME client registers an account using the EAB credentials (key ID and MAC key). This is a one-time step per ACME client.
-
Certificate order: The client creates an order specifying the domain names for the certificate.
-
Authorization: The ACME server checks pre-configured domain validations. Because the endpoint uses
PRE_APPROVEDauthorization, no live challenges are required from the client. -
Finalize: The client submits a Certificate Signing Request (CSR) to finalize the order, and ACM issues the certificate.
-
Download: The client downloads the issued certificate chain.
Important
The private key is generated by the ACME client and never leaves the client's system.
Example: Issuing a certificate with Certbot
This example shows how to register an ACME account and request a certificate using Certbot.
Prerequisites
-
An ACME endpoint in
ACTIVEstatus (you have the directory URL) -
At least one domain validation in
VALIDstatus for the domain you want -
EAB credentials (key ID and MAC key) from your PKI administrator
-
Certbot installed on your system
To register an account and request a certificate
Important
Certificate issuance through the ACM ACME endpoint can take several minutes. Configure your ACME client's issuance timeout to at least 600 seconds (10 minutes) to prevent the client from timing out before the certificate is delivered. Many ACME clients default to 30-90 seconds, which is not sufficient.
Run the following command:
certbot certonly \ --standalone \ --non-interactive \ --agree-tos \ --emailuser@example.com\ --server https://acm-acme-enroll.region.api.aws/00000000-0000-0000-0000-000000000000/directory \ --eab-kidAAABBBCCC111222333\ --eab-hmac-keybase64encodedmackey\ --issuance-timeout 600 \ --domainwww.example.com
After successful issuance, Certbot stores the certificate and private key in its
default location (typically
/etc/letsencrypt/live/).www.example.com/
ACME certificates in ACM
Certificates issued through ACME automatically receive a standard ACM
certificate ARN and appear in the ACM certificate inventory. However,
ACME-issued certificates have important differences from certificates
issued through RequestCertificate.
Key differences
-
Private key is client-side: The certificate private key is generated and stored by the ACME client. ACM does not have access to the private key.
-
Cannot bind to integrated services: Because AWS does not hold the private key, ACME certificates cannot be used with Elastic Load Balancing, CloudFront, or API Gateway.
-
Not in default list output: ACME certificates do not appear in
ListCertificatesresults by default. You must include theCertificateKeyPairOriginsfilter with valueACMEto include them.SearchCertificatesreturns ACME certificates by default. -
Cannot export through ACM: The
ExportCertificateAPI cannot be used because the certificate is already exported by definition since the client has it. -
Revocation through ACME only: Use the ACME endpoint's revoke-cert URL. The ACM
RevokeCertificateAPI does not work for ACME-issued certificates. -
Renewal is client-driven: ACM does not auto-renew ACME certificates. The ACME client must request a new certificate before the existing one expires.
Viewing ACME certificates
In the ACM console, use the filter to include certificates with an ACME key pair origin. For more information about finding certificates, see Search certificates.
To list ACME certificates (AWS CLI)
Use list-certificates with the
CertificateKeyPairOrigins filter:
aws acm list-certificates \ --certificate-key-pair-origins ACME
To search for ACME certificates (AWS CLI)
Use search-certificates with the CertificateKeyPairOrigin
filter to find ACME certificates by additional criteria:
aws acm search-certificates \ --filter-statement '{"Filter": {"AcmCertificateMetadataFilter": {"CertificateKeyPairOrigin": "ACME"}}}'
You can also search for certificates issued through a specific endpoint or
ACME account by filtering on AcmeEndpointArn or
AcmeAccountId.
To view certificate details (AWS CLI)
Run the following command:
aws acm describe-certificate \ --certificate-arn arn:aws:acm:region:account-id:certificate/certificate-id
Revoking ACME certificates
To revoke a certificate issued through ACME, use the ACME protocol's revoke-cert endpoint. The ACME client handles this.
Note
ACME-issued certificates cannot be revoked using the ACM
RevokeCertificate API. You must revoke these certificates through the ACME
endpoint that issued them.
The following example shows revocation using Certbot:
certbot revoke \ --cert-path /etc/letsencrypt/live/www.example.com/cert.pem \ --server https://acm-acme-enroll.region.api.aws/00000000-0000-0000-0000-000000000000/directory
The revocation is authorized by the IAM role associated with the client's external
account binding, so the same IAM policies and SCPs that apply to the standard
acm:RevokeCertificate action apply here. For more information about the
required IAM role configuration, see IAM for ACME certificate automation.
Certificate renewal
ACME certificates are not renewed by ACM. Your ACME client is responsible for requesting a new certificate before the current one expires. Most ACME clients (including Certbot) support automatic renewal through scheduled tasks (such as cron jobs or systemd timers).
ARN stability across renewals
When an ACME client renews a certificate, ACM determines whether the new issuance is a renewal of an existing certificate or a distinct certificate. If the issuance comes from the same ACME account with the same certificate metadata (such as domain names and key algorithm), ACM updates the existing certificate ARN rather than creating a new one. This keeps the ARN stable across renewals, which simplifies tracking and automation.
If the original certificate has been removed from ACM (for example, because it expired more than one year ago and was automatically deleted), a subsequent issuance with the same metadata creates a new certificate ARN.
Certbot auto-renewal example (typically configured automatically during Certbot installation):
certbot renew --quiet