AWS Certificate Manager integrates ACME to automate TLS certificates
ACME protocol support in ACM enables centralized management of public certificates, reducing operational burden and preparing organizations for the 100-day validity reduction in 2027.
July 2, 2026 · 4 min read
TL;DR: AWS ACM is now a managed ACME server, allowing automated issuance of public TLS certificates from Amazon Trust Services. Centralizes management, improves security, and prepares for short-lived certificates.
What happened?
On June 9, 2026, AWS announced that AWS Certificate Manager (ACM) now supports the ACME (Automatic Certificate Management Environment) protocol for automated issuance and renewal of public TLS certificates. ACME is the open standard used by Let's Encrypt and other providers, enabling clients like Certbot, cert-manager, and acme.sh to request certificates without human intervention. This move marks a milestone in the evolution of certificate management in the cloud, integrating a universally accepted protocol within the AWS ecosystem, eliminating the need to rely on external certificate authorities for automation.
Previously, users who wanted to automate certificate management with ACME had to turn to external certificate authorities, fragmenting visibility and control. Certificates issued by ACM and external ones coexisted without a centralized dashboard, making oversight difficult. With the new managed ACME endpoint, ACM issues certificates from Amazon Trust Services, integrating automation with AWS monitoring and security capabilities like CloudTrail and CloudWatch. This allows PKI administrators to have granular control over which domains can request certificates and who can do so, using External Account Binding (EAB) and IAM role binding.
Why is it important?
The industry is moving toward short-lived certificates. The CA/Browser Forum has mandated a maximum validity of 100 days starting March 2027, and 47 days by 2029. This makes manual renewal unfeasible. With ACME in ACM, organizations can fully automate the certificate lifecycle, reducing the risk of human error and service outages. According to the official announcement, "if you manage TLS certificates for your applications, you know the challenge: certificates expire, and when they do, your customers see errors or your service goes down." Automation is no longer optional but an operational necessity.
Additionally, ACME in ACM offers granular control through External Account Binding (EAB). PKI administrators can validate domains once at the endpoint level and then delegate certificate requests to application teams without sharing DNS credentials. This improves security and governance. As the announcement states, "with ACME in ACM, administrators can distribute certificate automation across the organization without distributing DNS keys."
Market implications
This integration simplifies certificate management in multicloud or hybrid environments, as ACME is a universal standard. Companies already using ACME with Let's Encrypt can easily migrate to ACM without changing their ACMEv2 clients. It also directly competes with solutions like cert-manager for Kubernetes and HashiCorp Vault, although ACM benefits from native integration with CloudTrail, CloudWatch, and the AWS ecosystem. For users, the key change is that they can now centralize management of all certificates—both those issued by ACM and imported—in ACM, gaining unified visibility. PKI administrators gain control over which domains can request certificates and who can do so.
The market impact is significant: AWS democratizes access to certificate automation, reducing reliance on Let's Encrypt and other free providers. However, Let's Encrypt remains a valid option for those not on AWS or preferring an independent CA. Competition will intensify, but native integration with AWS services (like CloudFront, ALB, API Gateway) gives ACM an advantage for captive AWS customers.
What readers should know
- The service is available in all AWS regions immediately.
- You need to configure an ACME endpoint, define allowed domains, and create EAB credentials for clients.
- Existing ACME clients (Certbot, acme.sh, cert-manager) can point to the new endpoint without modifications.
- Domain validation is done via DNS or HTTP, and ACM handles automatic renewal.
- There are no additional costs for using ACME; you only pay for issued certificates (public ones are free).
- CloudTrail logs every certificate request, providing full auditability.
"With ACME in ACM, administrators can distribute certificate automation across the organization without distributing DNS keys," the official announcement states.
Preparing for the future
With the reduction in validity to 100 days, automation is no longer optional. ACME in ACM offers a simple adoption path for companies already on AWS and lays the groundwork for meeting CA/Browser Forum requirements. Infrastructure teams are recommended to start planning the migration of their manual processes to ACME. Integration with IAM allows detailed access control, and the ability to define domain scopes at the endpoint level facilitates organizational policy enforcement. This move by AWS not only solves a technical problem but also anticipates a future where certificate management will be fully automated and centralized.