AWS has integrated the Automatic Certificate Management Environment (ACME) protocol into its Certificate Manager (ACM) service, allowing users to automate the issuance, renewal, and revocation of public TLS certificates. This update addresses the growing operational burden of manual certificate management as validity periods continue to shorten, with industry standards set to reduce maximum validity to 100 days by March 2027 and further to 47 days by 2029.
The ACME protocol, widely adopted by certificate authorities like Let’s Encrypt, eliminates the need for human intervention in certificate lifecycle management. AWS’s implementation provides a fully managed ACME server endpoint compatible with any ACMEv2 client, including Certbot, cert-manager for Kubernetes, and acme.sh. This integration consolidates certificate management within ACM, offering a unified dashboard for monitoring and controlling certificate issuance across an organization.
How it works
To use ACME in ACM, administrators first create a dedicated ACME endpoint in the AWS Console or via API. The setup process involves configuring domain validation, defining certificate scopes (e.g., exact domains, subdomains, or wildcards), and generating External Account Binding (EAB) credentials for client authentication. Domain validation is centralized, with ACM automatically creating DNS CNAME records for domains hosted in Amazon Route 53 or providing manual instructions for external DNS providers.
Once the endpoint is configured, application owners can request certificates using their preferred ACME client. The client registers with the ACME endpoint using EAB credentials, which bind to IAM roles for granular access control. This ensures that only authorized users can request certificates for approved domains, while PKI administrators retain centralized oversight. All certificate requests are logged in AWS CloudTrail for auditing, and operational metrics are tracked in Amazon CloudWatch, with expiry notifications sent via ACM.
Background: The ACME protocol is an open standard for automating TLS certificate issuance, renewal, and revocation. It is used by certificate authorities to validate domain ownership and issue certificates without manual intervention. AWS Certificate Manager (ACM) is a managed service that simplifies the provisioning and management of TLS certificates for AWS workloads.
Centralized controls and governance
ACME support in ACM introduces several governance features that were previously unavailable. Administrators can enforce organization-wide policies by restricting certificate types (e.g., ECDSA or RSA) and limiting wildcard issuance at the endpoint level. Domain scopes can be configured to allow only specific certificate patterns, such as exact domains or subdomains, while excluding wildcards to enhance security. These controls reduce the risk of misissued certificates and eliminate the need for third-party certificate lifecycle management tools.
The integration also improves visibility. All certificates issued through ACME, the ACM console, or API calls are searchable within ACM, providing a single pane of glass for monitoring certificate usage. This addresses a common pain point for organizations that previously relied on external certificate authorities alongside ACM, resulting in fragmented visibility and inconsistent policy enforcement.
Availability and pricing
ACME support in ACM is available in all commercial AWS Regions as of June 2026. Support for AWS GovCloud (US), China Regions, and the AWS European Sovereign Cloud is planned for a later date. Pricing is based on the number of domains included in each certificate at issuance, with separate rates for fully qualified domain names and wildcards. Volume discounts apply based on total domain occurrences across all certificates issued per month in an AWS account. Detailed pricing information is available on the ACM pricing page.
What to watch
The adoption of ACME in ACM is likely to accelerate as organizations prepare for the upcoming reduction in certificate validity periods. The ability to automate certificate management while maintaining centralized control may also influence enterprise decisions about consolidating certificate authorities. Operators should evaluate their current ACME client configurations and IAM policies to ensure compatibility with ACM’s implementation, particularly for organizations using multiple AWS accounts or hybrid cloud environments.
For professionals: This update reduces operational overhead for teams managing TLS certificates at scale. By centralizing ACME support within ACM, AWS eliminates the need for external certificate authorities, simplifying compliance and auditing. Teams should review their certificate issuance workflows to leverage ACM’s policy enforcement features, such as domain scoping and IAM role binding, to improve security and governance.
Automated pipeline · Security
Synthesized from 1 industry feed on 30 Jun 2026. Passed independent editor verification (score 95/100) before publication. Style guide v1.4.
Sources
Decision trail
- Checking for duplicates — Deduped batch of 2 candidates
- Checking for duplicates — New story No existing article covers AWS Certificate Manager ACME support.
- Checking for duplicates — New story pre_write:; No existing article covers AWS Certificate Manager's ACME protocol support.
- Writing the article — Draft created article_id=272 slug=aws-certificate-manager-adds-acme-protocol-support
-
Editor review — Approved
- Score: 95/100
- Factual grounding: The draft states 'as of June 2026' for availability, but the source only says 'available today' (publication date: 30 June 2026). While the date is plausible, the source does not explicitly state 'June 2026' as the calendar date. Omit the specific month/year or clarify that the feature launched on the publication date.
- Style compliance: The 'Background' block repeats phrasing from the source (e.g., 'automating TLS certificate issuance, renewal, and revocation'). While the facts are correct, the wording is too close to the source. Rewrite to restructure the idea without echoing the source's phrasing.
- Style compliance: The 'For professionals' callout includes 'simplifying compliance and auditing,' which is not directly supported by the source. The source mentions CloudTrail logging and centralized visibility, but 'compliance' is an inference. Reword to focus on concrete benefits (e.g., 'centralized logging and policy enforcement').
- Generating reader Q&A — Generated 5 items
- Assigning hero image — Rejected library image #1: The only candidate (index 0) is irrelevant to the article topic. The alt text mentions 'oracle peoplesoft server security breach data theft,' which is unrelated to AWS Certificate Manager, ACME protocol, or TLS certificates. The URL slug and metadata do not match the article's focus on AWS ACM and ACME support.
- Assigning hero image — Rejected library image #46: No candidate matches the article topic (AWS Certificate Manager adding ACME protocol support for TLS certificates). The provided candidate is unrelated to certificates, TLS, or AWS infrastructure, and its alt text ('cloud cost management dashboard engineer') is generic and misaligned with the article's focus.
- Assigning hero image — Rejected library image #82: The candidate's alt text ('microsoft teams security breach illustration') and query ('automated security workflow illustration') are unrelated to the article topic (AWS Certificate Manager adding ACME protocol support for TLS certificates). The description does not match the context of certificate issuance, ACME protocol, or AWS services.
- Assigning hero image — Reused library image reused image #14
- Linking related stories — Linked 0 relations from 219 candidates
- Publishing — Published aws-certificate-manager-adds-acme-protocol-support
- Mastodon — Posted https://mstdn.social/@hostingpaper/116841275808127996

Discussion · coming soon
Be the first to join the thread when community discussion launches.