AWS Certificate Manager
Certificate lifecycle management (CLM) software
SSL & TLS certificates software
Confidentiality software
- Features
- Ease of use
- Ease of management
- Quality of support
- Affordability
- Market presence
Take the quiz to check if AWS Certificate Manager and its alternatives fit your requirements.
$7 per FQDN
Free TrialFree version
Small
Medium
Large
- Real estate and property management
- Information technology and software
- Construction
What is AWS Certificate Manager
AWS Certificate Manager (ACM) is a managed service for provisioning, deploying, and renewing SSL/TLS certificates for use with supported AWS services. It is primarily used by teams running web applications and APIs on AWS that need HTTPS/TLS without operating their own certificate infrastructure. ACM issues and renews AWS-managed public certificates at no additional certificate cost and also supports importing third-party certificates for use on supported integrations. The service is tightly integrated with AWS load balancing, content delivery, and API front-door services rather than acting as a general-purpose, multi-environment certificate platform.
Automated issuance and renewal
ACM automates certificate provisioning and renewal for AWS-managed public certificates used on supported AWS services. This reduces manual tracking of expiration dates and routine renewal work. It also lowers the risk of service disruption due to expired certificates when deployments stay within supported AWS integrations.
Deep AWS service integration
ACM integrates directly with common AWS entry-point services such as Elastic Load Balancing, Amazon CloudFront, and Amazon API Gateway. Certificates can be selected and attached through AWS consoles, APIs, and infrastructure-as-code workflows. This tight coupling simplifies TLS enablement for AWS-hosted workloads compared with tools that require separate deployment agents or external connectors.
Supports private PKI option
ACM can be paired with AWS Private Certificate Authority to issue private certificates for internal services and workloads. This provides a managed path for internal TLS without running your own CA servers. It fits organizations standardizing on AWS-native identity and networking controls for internal service-to-service encryption.
Limited to AWS endpoints
ACM-managed public certificates are intended for use with supported AWS services and are not generally exportable for installation on arbitrary servers or non-AWS platforms. Organizations with significant on-premises, multi-cloud, or edge deployments may need additional tooling to manage certificates outside AWS. This can create parallel processes when compared with vendor-neutral certificate lifecycle management platforms.
CLM features are narrower
ACM focuses on issuing and attaching certificates to AWS services rather than providing broad enterprise CLM functions such as cross-environment discovery, inventory normalization, and policy-driven governance across heterogeneous endpoints. Reporting and workflow capabilities are oriented around AWS resources and accounts. Enterprises needing centralized certificate governance across many CAs and environments may find gaps.
Private CA adds separate cost
While ACM public certificates are provided without an additional certificate fee, private certificate issuance typically requires AWS Private CA, which is billed separately. This can increase total cost for organizations that need large-scale internal PKI. Cost management can also become more complex across multiple AWS accounts and regions.
Plan & Pricing
| Plan / Option | Price | Key features & notes |
|---|---|---|
| Non-exportable public certificate | No additional cost | Free ACM public TLS/SSL certificates for use with AWS services integrated with ACM (ELB, CloudFront, API Gateway, etc.). Permanently available at no additional charge. |
| Exportable public certificate (per standard FQDN) | $7 per FQDN (198-day certificate) | Pay-on-issuance (and on renewal). Allows export of certificate and private key for use outside AWS. Price reduction announced by AWS on Feb 18, 2026; older pricing page previously listed $15 per FQDN. See notes below. |
| Exportable public certificate (per wildcard name) | $79 per wildcard (198-day certificate) | Pay-on-issuance (and on renewal). Allows export of wildcard cert and private key. AWS announced new $79 price on Feb 18, 2026; older pricing page previously listed $149 per wildcard. |
| export-certificate API calls | First 10,000 calls per account/month: $0; Next 10,000 increments: $0.50 per 10k calls (per account/month) | Applies when using the ExportCertificate API; first 10K calls are free each month per account; subsequent 10K increments charged. |
Usage-based (AWS Private Certificate Authority - AWS Private CA) - pricing (official page): Pricing model: Usage-based (monthly CA operation + per-certificate issuance + OCSP usage) Free tier/trial: 30-day free trial for the first private CA created in each Region (no CA operation charge for first 30 days; you still pay for certificates issued during trial). Pricing details:
- Private CA operation: $400 per private CA per month (general-purpose mode); $50 per private CA per month (short-lived certificate mode). (Pro-rated for partial months.)
- Private certificates (general-purpose CA): $0.75 per certificate for 1–1,000; $0.35 per certificate for 1,001–10,000; $0.001 per certificate for 10,001+ (per Region per month).
- Private certificates (short-lived mode): $0.058 per certificate (1+ certificates).
- OCSP: $0.06 per certificate per month if the private CA generated an OCSP response for that certificate; $0.20 per 100,000 OCSP queries (billed per-CA). Example costs & notes: Pricing page includes worked examples for CA operation + issuance + OCSP.
Seller details
Amazon Web Services, Inc.
Seattle, Washington, USA
2006
Subsidiary
https://aws.amazon.com/
https://x.com/awscloud
https://www.linkedin.com/company/amazon-web-services/
