AWS Certificate Manager
AWS Certificate Manager
AWS Certificate Manager (ACM) API issues and manages SSL/TLS certificates — free public certificates, private CA management, auto-renewal, AWS service integration.
Public certificates are completely free
ACM certs are usable only on AWS services (cannot be downloaded for self-managed EC2 nginx)
POST /acm/RequestCertificate to request a certificate. DNS validation: add the returned CNAME record to DNS; auto-issued after validation.
Uptime · 30-day window
GitHub activity
About this API
ACM solves two major pain points of HTTPS certificate ops: cost (public SSL certs used to cost annually) and renewal (manual renewals were forgotten, causing outages). AWS productized something like Let's Encrypt — if your site runs on AWS (ALB, CloudFront, API Gateway), ACM issues certificates free, auto-binds them to resources, and auto-renews 60 days before expiry (for DNS validation). Downside: ACM certs are "bound" — you can't get the private key file, so they can't be used on self-managed nginx or non-AWS services. For downloadable certificates, use Let's Encrypt automation or ACM Private CA. For most AWS-hosted web apps, ACM is the out-of-the-box HTTPS standard.
What you can build
- 1Provide HTTPS certs for ALB/CloudFront/API Gateway
- 2Manage enterprise private CAs
- 3Auto-renewal to prevent expiry incidents
- 4Bulk certificate audit
Strengths & limitations
Strengths
- Public certificates are completely free
- Native integration with AWS services (ALB/CloudFront auto-binds)
- Auto-renewal (DNS validation scenarios)
- TLS private keys never exposed to users
Limitations
- ACM certs are usable only on AWS services (cannot be downloaded for self-managed EC2 nginx)
- Private CA service has monthly fee
Example request
curl https://github.com/mermade/aws2openapi/<endpoint>Getting started
POST /acm/RequestCertificate to request a certificate. DNS validation: add the returned CNAME record to DNS; auto-issued after validation.
FAQ
Can I use ACM certs on self-managed nginx on EC2?+
Not directly (no private key access). Traffic must go through ALB or CloudFront first. Or use ACM Private CA (downloadable).
Are wildcard certificates supported?+
Yes. Request *.example.com — requires DNS validation.
Technical details
- Auth type
- unknown
- Pricing
- unknown
- Protocols
- REST
- SDKs
- python, javascript, go, java, csharp, php, ruby
- Response time
- 852 ms
- Last health check
- 5/12/2026, 7:36:33 AM
More from Amazon Web Services
AWS IAM Access Analyzer API analyzes IAM resource policies for over-privileged access or external access — proactively surfaces security risks.
Amazon Chime SDK API embeds real-time audio/video calling and chat into apps (meetings, messaging, PSTN calls).
Amazon CloudFront is the AWS CDN and edge service — accelerates static and dynamic content delivery, a standard for web performance.
Amazon CloudSearch is AWS's managed search service (gradually superseded by OpenSearch Service).
CloudWatch Application Insights API auto-detects application problems — intelligently identifies anomalies (slow SQL queries, memory leaks), reducing manual alarm configuration.
AWS Cognito Identity Pools API issues temporary AWS credentials to frontend apps — identity federation, guest users, direct AWS resource access.
Amazon Cognito User Pools deliver managed user signup, login, password reset, and MFA for applications.
Amazon Connect Contact Lens API uses AI to analyze Amazon Connect calls in real time — sentiment, keywords, compliance detection, auto-summary.