AWS Certificate Manager adds ACME protocol support
Automate public TLS certificate issuance and renewal with ACMEv2 clients.
Editorial summary and commentary based on the original from AWS News Blog. Read the original
What's new
- AWS Certificate Manager (ACM) now supports the Automated Certificate Management Environment (ACME) protocol.
- Public TLS certificates can be issued and renewed via any ACMEv2-compatible client.
- Centralized governance, IAM-based access controls, and domain scoping are available for certificate management.
Why it matters
Previously, ACM primarily focused on certificates issued through AWS services like CloudFront and ELB. The addition of ACME support broadens ACM's applicability to any workload, including on-premises servers or workloads running on other cloud providers, that require automated public TLS certificate management. This allows organizations to centralize certificate lifecycle management within AWS, even for external infrastructure, potentially reducing operational overhead and improving security posture by enforcing consistent renewal policies. The primary trade-off is the need to manage ACME client configurations alongside ACM's existing managed certificate workflows.
How to use it
Administrators can leverage existing ACMEv2 clients (e.g., certbot, lego) to request and renew certificates from ACM. Ensure clients are configured with appropriate IAM permissions and domain scope for issuance. This feature is available in all AWS Regions where ACM public certificates are supported.
Bottom line: AWS Certificate Manager now supports ACME, enabling automated certificate issuance for any workload, not just AWS-managed ones.
Source (AWS News Blog): Automate public TLS certificate issuance with ACME support in AWS Certificate Manager