AWS Certificate Manager (ACM) service. ACM handles the complexity of creating and managing public SSL/TLS certificates for your AWS-based websites and applications. ACM certificates can secure multiple domain names and multiple names within a domain. You can also use ACM to create wildcard SSL certificates that can protect an unlimited number of subdomains.


Certificates that are not renewed before their expiration date become invalid. Invalid certificates make communication between the client and AWS resources insecure. Check to see  AWS Certificates expire in 7 days can help understand.


ACM attempts to automatically renew your ACM certificate 60 days before expiration. If ACM cannot automatically renew your certificate, it sends certificate renewal event notices to your AWS Personal Health Dashboard at 45 days, 30 days, 15 days, 7 days, 3 days, and 1-day intervals from expiration to inform you that you need to take action. The AWS Personal Health Dashboard is part of the AWS Health service. It requires no setup and can be viewed by any user that is authenticated in your account. 

Default Value:

ACM attempts to automatically renew your ACM certificate sixty days before expiration.  


ACM certificates need to be there in your AWS account



Test Plan:

  1. Open the AWS Certificate Manager console at

  2. Expand a certificate to view its details.

  3. Find the Renewal Status in the Details section. 

4. If you don't see the status, ACM hasn't started the managed renewal process for this certificate.


  1. Log in to the AWS Personal Health Dashboard at

  2. Choose Event log.

  3. For Filter by tags or attributes, choose Service.  

  4. Choose Certificate Manager. 

  5. Choose Apply
  6. For the Event, the category chooses Scheduled Change. 
  7. Choose Apply.

          Step1: Sign in to the AWS Management Console

          Step2: Navigate to the AWS ACM dashboard at

         Step3:Select the SSL/TLS certificate that you want to examine and click on the Show/Hide Details button

 Step4:  Inside the Details section, verify the certificate expiration information

            If the Expires in the attribute value is set to 30 days, the selected SSL/TLS certificate is expiring in 30 days and should be renewed soon

Step5: Click the Actions button from the dashboard top menu and select the Reimport certificate option from the dropdown menu.

Step6: On the Import a certificate page, perform the following actions

          1. For Certificate body*, paste the PEM-encoded certificate to import, purchased from your SSL certificate provider.

         2. For Certificate private key*, paste the PEM-encoded, unencrypted private key that matches the SSL/TLS certificate public key

        3. Click the Review and import button to continue the process.

Step7: On the Review and import page, review the imported certificate details then click Import to confirm the action and complete the renewal process

Using AWS CLI:

aws acm describe-certificate --certificate-arn arn:aws:acm:us-east-1:123456789012:certificate/12345678-1234-1234-1234-123456789012

Back out Plan:

If you want  to revoke the changes follow the implementation steps undo 6step and schedule your event days 


What Is AWS Certificate Manager? - AWS Certificate Manager 

Check a certificate's renewal status - AWS Certificate Manager