AWS Certificate Manager (ACM) automatically renews your SSL/TLS certificates, but only if they were provisioned through ACM and you’re using DNS validation.
Here’s what that looks like in practice:
// Example of a certificate provisioned with ACM and validated via DNS
resource "aws_acm_certificate" "my_cert" {
domain_name = "example.com"
validation_method = "DNS"
tags = {
Name = "MyAwesomeCert"
}
}
// Example of a DNS record managed by Route 53 for validation
resource "aws_route53_record" "my_cert_validation" {
zone_id = "Z1234567890ABCDEF" // Your Route 53 Hosted Zone ID
name = "_abcdef1234567890.example.com"
type = "CNAME"
ttl = 300
records = ["_ghijkl9876543210.acm-validations.aws"]
}
The surprising truth is that ACM doesn’t just "renew" certificates in a vacuum. It’s an active process of re-validation. When a certificate is about to expire (usually around 30 days out), ACM initiates a new validation process for the domain(s) associated with that certificate. If your certificate was validated using DNS and you’re using Amazon Route 53 for your DNS, ACM can often automatically update the necessary CNAME records in Route 53 to prove domain ownership again. For certificates validated via email, manual intervention is required.
This automated renewal is a massive time-saver, preventing outages caused by expired certificates. The system works by ACM monitoring the expiry date of certificates it manages. When the expiry is within its renewal window, ACM attempts to renew. For DNS-validated certificates, it generates a new CNAME record value and checks if the corresponding record exists in your DNS zone. If it’s a Route 53 zone, ACM can often add or update this record itself. Once validation is confirmed, a new certificate is issued and associated with the original ARN, effectively replacing the expiring one.
The key levers you control are:
- Provisioning Method: Always provision certificates directly through ACM if you want automated renewal. Importing certificates from external CAs does not qualify for automatic renewal.
- Validation Method: DNS validation is the only method that supports automatic renewal. Email validation requires manual re-validation.
- DNS Provider: While ACM can sometimes manage DNS records for other providers through custom integrations, it has native, seamless integration with Amazon Route 53. If you use Route 53, ACM can often update the validation records automatically. For other DNS providers, you’ll need to ensure your DNS setup allows ACM to create/update the required validation CNAME record, or you’ll have to do it manually.
- Domain Name Records: Ensure the CNAME record ACM uses for validation is correctly set up and resolvable. If you manage your DNS outside of Route 53, you’ll need to manually add the CNAME record ACM provides during the initial request and be prepared to update it if ACM requires re-validation (though this is rare if the initial record is stable).
The most surprising part is how ACM handles wildcard certificates. When you request a wildcard certificate like *.example.com, ACM requires you to validate ownership for the wildcard domain itself. However, ACM will also automatically create and manage the DNS validation records for any subdomains you explicitly list in the same certificate request. For instance, if you request *.example.com and app.example.com on the same ACM certificate, ACM will generate validation CNAMEs for both _abc.example.com and _xyz.app.example.com (where _abc and _xyz are unique validation strings). This means you don’t need separate validation steps for each explicitly listed subdomain, simplifying management considerably.
The next hurdle you’ll likely encounter is integrating these auto-renewed ACM certificates with AWS services like Elastic Load Balancing (ELB) or CloudFront.