# AWS Certificate Manager exportable public certificates
AWS Certificate Manager exportable public certificates lets you provision, manage, and deploy [SSL/TLS certificates](acm-concepts.md#concept-sslcert) anywhere - including Amazon EC2 instances, containers, and on-premises hosts. This feature extends ACM issued public certificates beyond integrated AWS services, giving you centralized control over certificates across your entire infrastructure.
## Benefits
The following outlines benefits of ACM exportable public certificates:
+ *Simplified Certificate Management*: Centrally manage certificates for all your resources with ACM.
+ *Faster Certificate Issuance*: Access and use certificates in less time.
+ *Automated Renewals*: ACM automatically handles certificate renewals and notifies you when new certificates are ready for deployment. For more information, see [Amazon EventBridge support for ACM](supported-events.md).
+ *Cost Effective*: Pay only for the exportable public certificates you create.
+ *Flexible Deployment*: Use certificates with any server or application that supports standard [SSL/TLS certificates](acm-concepts.md#concept-sslcert).
## How ACM exportable public certificates works
The following outlines how ACM exportable public certificates work:
1. Request an exportable certificate through ACM for your domain.
1. Validate domain ownership using DNS or email validation.
1. Export the certificate, private key, and certificate chain.
1. Deploy the certificate to your server or application.
1. ACM manages renewals and sends notifications when new certificates are available.
## Security considerations
The following are security considerations when using ACM exportable public certificates. For more information, see [Data protection in AWS Certificate Manager](data-protection.md).
+ Protect exported private keys using secure storage and access controls.
+ Use ACM's revocation feature if you suspect key compromise.
+ Implement proper key rotation procedures when deploying renewed certificates.
## Limitations
The following are some ACM certificate limitations:
+ Certificates have a 198 days validity period.
+ ACM renews certificates set to expire 45 days before their expiration date.
+ You must manage the deployment process for exported certificates.
## Pricing
You are subject to an additional charge for exportable public SSL/TLS certificates that you create with AWS Certificate Manager. For the latest ACM pricing information, see the [AWS Certificate Manager Service Pricing](https://aws.amazon.com//certificate-manager/pricing/) page on the AWS website.
## Best practices
The following are some best practices when using ACM certificates:
+ Once a certificate is renewed, you should begin using it immediately.
+ Test and implement automated deployment processes for renewed certificates.
+ Monitor certificate deployments using [Amazon EventBridge metrics and alarms](supported-events.md).
# Export an AWS Certificate Manager public certificate
The following procedures walks you through how you can export an ACM public certificate in the ACM console. Alternatively, you can use the [https://awscli.amazonaws.com/v2/documentation/api/latest/reference/acm/export-certificate.html](https://awscli.amazonaws.com/v2/documentation/api/latest/reference/acm/export-certificate.html) AWS CLI or [ExportCertificate](https://docs.aws.amazon.com//acm/latest/APIReference/API_ExportCertificate.html) API action.
**Note**
ACM public certificates created prior to June 17, 2025 cannot be exported.
## Export a public certificate (console)
1. Sign in to the AWS Management Console and open the ACM console at [https://console.aws.amazon.com/acm/](https://console.aws.amazon.com/acm/).
1. Choose **List certificates** and select the checkbox of the certificate you want to export.
1. Alternatively, you can select the certificate. In the certificate detail page, select **Export**.
1. Choose **More actions** and then choose **Export**.
1. Enter and confirm a passphrase for the private key.
1. You can download or copy the certificate files.
**Note**
In the ACM console, you’re able to export .pem certificate files. You can convert the .pem file to another file format, like .ppk. For more information, see this [re:Post article](https://repost.aws/knowledge-center/ec2-ppk-pem-conversion).
## Export a public certificate (AWS CLI)
Use the [https://docs.aws.amazon.com/cli/latest/reference/acm/export-certificate.html](https://docs.aws.amazon.com/cli/latest/reference/acm/export-certificate.html) AWS CLI command or [ExportCertificate](https://docs.aws.amazon.com//acm/latest/APIReference/API_ExportCertificate.html) API action to export a public certificate and private key. You must assign a passphrase when you run the command. For added security, use a file editor to store your passphrase in a file, and then supply the passphrase by supplying the file. This prevents your passphrase from being stored in the command history and prevents others from seeing the passphrase as you type it in.
**Note**
The file containing the passphrase must not end in a line terminator. You can check your password file like this:
```
$ file -k passphrase.txt
passphrase.txt: ASCII text, with no line terminators
```
The following examples pipe the command output to `jq` to apply PEM formatting.
```
[Windows/Linux]$ aws acm export-certificate \
--certificate-arn arn:aws:acm:us-east-1:111122223333:certificate/certificate_ID \
--passphrase fileb://path-to-passphrase-file \
| jq -r '"\(.Certificate)\(.CertificateChain)\(.PrivateKey)"'
```
This outputs a base64-encoded, PEM-format certificate, also containing the certificate chain and encrypted private key, as in the following abbreviated example.
```
-----BEGIN CERTIFICATE-----
MIIDTDCCAjSgAwIBAgIRANWuFpqA16g3IwStE3vVpTwwDQYJKoZIhvcNAQELBQAw
EzERMA8GA1UECgwIdHJvbG9sb2wwHhcNMTkwNzE5MTYxNTU1WhcNMjAwODE5MTcx
NTU1WjAXMRUwEwYDVQQDDAx3d3cuc3B1ZHMuaW8wggEiMA0GCSqGSIb3DQEBAQUA
...
8UNFQvNoo1VtICL4cwWOdLOkxpwkkKWtcEkQuHE1v5Vn6HpbfFmxkdPEasoDhthH
FFWIf4/+VOlbDLgjU4HgtmV4IJDtqM9rGOZ42eFYmmc3eQO0GmigBBwwXp3j6hoi
74YM+igvtILnbYkPYhY9qz8h7lHUmannS8j6YxmtpPY=
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
MIIC8zCCAdugAwIBAgIRAM/jQ/6h2/MI1NYWX3dDaZswDQYJKoZIhvcNAQELBQAw
EzERMA8GA1UECgwIdHJvbG9sb2wwHhcNMTkwNjE5MTk0NTE2WhcNMjkwNjE5MjA0
NTE2WjATMREwDwYDVQQKDAh0cm9sb2xvbDCCASIwDQYJKoZIhvcNAQEBBQADggEP
...
j2PAOviqIXjwr08Zo/rTy/8m6LAsmm3LVVYKLyPdl+KB6M/+H93Z1/Bs8ERqqga/
6lfM6iw2JHtkW+q4WexvQSoqRXFhCZWbWPZTUpBS0d4/Y5q92S3iJLRa/JQ0d4U1
tWZyqJ2rj2RL+h7CE71XIAM//oHGcDDPaQBFD2DTisB/+ppGeDuB
-----END CERTIFICATE-----
-----BEGIN ENCRYPTED PRIVATE KEY-----
MIIFKzBVBgkqhkiG9w0BBQ0wSDAnBgkqhkiG9w0BBQwwGgQUMrZb7kZJ8nTZg7aB
1zmaQh4vwloCAggAMB0GCWCGSAFlAwQBKgQQDViroIHStQgNOjR6nTUnuwSCBNAN
JM4SG202YPUiddWeWmX/RKGg3lIdE+A0WLTPskNCdCAHqdhOSqBwt65qUTZe3gBt
...
ZGipF/DobHDMkpwiaRR5sz6nG4wcki0ryYjAQrdGsR6EVvUUXADkrnrrxuHTWjFl
wEuqyd8X/ApkQsYFX/nhepOEIGWf8Xu0nrjQo77/evhG0sHXborGzgCJwKuimPVy
Fs5kw5mvEoe5DAe3rSKsSUJ1tM4RagJj2WH+BC04SZWNH8kxfOC1E/GSLBCixv3v
+Lwq38CEJRQJLdpta8NcLKnFBwmmVs9OV/VXzNuHYg==
-----END ENCRYPTED PRIVATE KEY-----
```
To output everything to a file, append the `>` redirect to the previous example, yielding the following command:
```
$ aws acm export-certificate \
--certificate-arn arn:aws:acm:us-east-1:111122223333:certificate/certificate_ID \
--passphrase fileb://path-to-passphrase-file \
| jq -r '"\(.Certificate)\(.CertificateChain)\(.PrivateKey)"' \
> /tmp/export.txt
```
# Secure Kubernetes Workloads with ACM Certificates
You can use AWS Certificate Manager exportable public certificates with AWS Controllers for Kubernetes (ACK) to issue and export public TLS certificates from ACM to your Kubernetes workloads. This integration enables you to secure Amazon Elastic Kubernetes Service (Amazon EKS) pods and terminate TLS at your Kubernetes Ingress. To get started, see the [ACM Controller for Kubernetes](https://github.com/aws-controllers-k8s/acm-controller) on GitHub.
AWS Controllers for Kubernetes (ACK) extends the Kubernetes API to manage AWS resources using native Kubernetes manifests. The ACK service controller for ACM provides automated certificate lifecycle management within your Kubernetes workflow. When you create an ACM Certificate resource in Kubernetes, the ACK controller performs the following actions:
1. Requests a certificate from ACM, which generates the certificate signing request (CSR).
1. Waits for domain validation to complete and for ACM to issue the certificate.
1. If the `exportTo` field is specified, exports the issued certificate and private key and stores them in your specified Kubernetes Secret.
1. If the `exportTo` field is specified and the certificate is eligible for renewal, updates the Kubernetes Secret with renewed certificates before expiration.
Publicly issued certificates require [domain validation](https://docs.aws.amazon.com//acm/latest/userguide/dns-validation.html) before ACM can issue them. You can use the [ACK service controller for Amazon Route 53](https://github.com/aws-controllers-k8s/route53-controller) to automatically create the required DNS validation CNAME records in your hosted zone.
## Certificate usage options
You can use ACM certificates with Kubernetes in a few ways:
![\[alt text not found\]](http://docs.aws.amazon.com/acm/latest/userguide/images/kubernetes-acm.png)
1. *Load balancer termination (without export)*: Issue certificates through ACK and use them to terminate TLS at an AWS load balancer. The certificate remains in ACM and is automatically discovered by the [AWS Load Balancer Controller](https://kubernetes-sigs.github.io/aws-load-balancer-controller/v2.1/guide/ingress/cert_discovery/). This approach does not require exporting the certificate.
1. *Ingress termination (with export)*: Export certificates from ACM and store them in Kubernetes Secrets for TLS termination at the Ingress level. This enables you to use certificates directly within your Kubernetes workloads.
**Note**
For use cases that require private certificates, see [AWS Private CA Connector for Kubernetes](https://docs.aws.amazon.com//privateca/latest/userguide/PcaKubernetes-concepts.html), a cert-manager plugin.
## Prerequisites
Before you install the ACK service controller for ACM, ensure you have the following:
+ A Kubernetes cluster.
+ Helm installed.
+ `kubectl` configured to communicate with your cluster.
+ `eksctl` installed for configuring pod identity associations on EKS.
## Install the ACK service controller for ACM
Use Helm to install the ACK service controller for ACM in your Amazon EKS cluster.
1. Create a namespace for the ACK controller.
```
$ kubectl create namespace ack-system --dry-run=client -o yaml | kubectl apply -f -
```
1. Create a pod identity association for the ACK controller. Replace *CLUSTER\$1NAME* with your cluster name and *REGION* with your AWS Region.
```
$ eksctl create podidentityassociation --cluster CLUSTER_NAME --region REGION \
--namespace ack-system \
--create-service-account \
--service-account-name ack-acm-controller \
--permission-policy-arns arn:aws:iam::aws:policy/AWSCertificateManagerFullAccess
```
1. Log in to the Amazon ECR Public registry.
```
$ aws ecr-public get-login-password --region us-east-1 | helm registry login --username AWS --password-stdin public.ecr.aws
```
1. Install the ACK service controller for ACM. Replace *REGION* with your AWS Region.
```
$ helm install -n ack-system ack-acm-controller oci://public.ecr.aws/aws-controllers-k8s/acm-chart --set serviceAccount.create=false --set serviceAccount.name=ack-acm-controller --set aws.region=REGION
```
1. Verify the controller is running.
```
$ kubectl get pods -n ack-system
```
For more information about pod identity associations, see [EKS Pod Identity](https://docs.aws.amazon.com//eks/latest/userguide/pod-identities.html) in the *Amazon EKS User Guide*.
## Example: Terminate TLS at the Ingress
The following example demonstrates how to export an ACM certificate and use it to terminate TLS at the Kubernetes Ingress level. This configuration creates an ACM certificate, exports it to a Kubernetes Secret, and configures an Ingress resource to use the certificate for TLS termination.
In this example:
+ Secret is created to store the exported certificate (`exported-cert-secret`)
+ The ACK Certificate resource requests a certificate from ACM for your domain and exports it to the `exported-cert-secret` Secret.
+ The Ingress resource references the `exported-cert-secret` to terminate TLS for incoming traffic.
Replace `${HOSTNAME}` with your domain name.
```
apiVersion: v1
kind: Secret
type: kubernetes.io/tls
metadata:
name: exported-cert-secret
namespace: demo-app
data:
tls.crt: ""
tls.key: ""
---
apiVersion: acm.services.k8s.aws/v1alpha1
kind: Certificate
metadata:
name: exportable-public-cert
namespace: demo-app
spec:
domainName: ${HOSTNAME}
options:
certificateTransparencyLoggingPreference: ENABLED
exportTo:
namespace: demo-app
name: exported-cert-secret
key: tls.crt
---
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
name: ingress-traefik
namespace: demo-app
spec:
tls:
- hosts:
- ${HOSTNAME}
secretName: exported-cert-secret
ingressClassName: traefik
rules:
- host: ${HOSTNAME}
http:
paths:
- path: /
pathType: Prefix
backend:
service:
name: whoami
port:
number: 80
```
Once deployed, the ACK service controller for ACM automatically manages the certificate lifecycle, including renewals. When ACM renews the certificate, the controller updates the `exported-cert-secret` Secret with the new certificate, ensuring your Ingress continues to use valid certificates without manual intervention.
# Revoke an AWS Certificate Manager public certificate
You can revoke an AWS Certificate Manager exportable public certificates using the ACM console, AWS CLI, or API action.
**Warning**
After a certificate is revoked, you cannot reuse the certificate. Revoking a certificate is permanent.
You may need to revoke a certificate to comply with your organization’s policies or mitigate key compromise. A reason is required when revoking a certificate. The following reasons can be used:
+ Unspecified
+ Affiliation changed
+ Superseded
+ Cessation of operation
To learn more see, [Amazon Trust Services Certificate Subscriber Agreement](https://www.amazontrust.com/repository/sa-1.3.pdf) and [Amazon Trust Service](https://www.amazontrust.com/repository/).
AWS provides two services to check certificate revocations: Online Certificate Status Protocol (OCSP) and certificate revocation list. With OCSP, the client queries an authoritative revocation database that returns a status in real-time. OCSP depends on validation information embedded in certificates.
## Considerations
The following are considerations before revoking a certificate:
+ You can only revoke certificates that were previously exported.
+ You cannot revoke [non-exportable public certificates](acm-exportable-certificates.md). If you no longer need these certificate, you should [delete them](gs-acm-delete.md) instead.
+ If you no longer need the certificate, you should [delete certificates](gs-acm-delete.md) instead of revoking certificates.
+ The certificate revocation process is global. All valid certificates you choose to revoke will be revoked along with their associated ARNs.
+ Certificate revocation is permanent. You can't retrieve revoked certificates to reuse.
+ It can take up to 24 hours for certificate revocation to take effect.
## Revoke a certificate (console)
The following procedure walks you through how you can revoke an ACM public or private certificate.
1. Sign in to the AWS Management Console and open the ACM console at [https://console.aws.amazon.com/acm/](https://console.aws.amazon.com/acm/).
1. Choose **List certificates** and select the checkbox of the certificate you want to revoke.
1. Alternatively, you can select the certificate. In the certificate detail page, select **Revoke**.
1. Choose **More actions** and then choose **Revoke**.
1. A dialog box appears where you must provide a revoke reason, enter **revoke**, and then choose **Revoke**.
## Revoke a certificate (AWS CLI)
Use the [https://docs.aws.amazon.com//cli/latest/reference/acm-pca/revoke-certificate.html](https://docs.aws.amazon.com//cli/latest/reference/acm-pca/revoke-certificate.html) AWS CLI command or [https://docs.aws.amazon.com/acm/latest/APIReference/API_RevokeCertificate.html](https://docs.aws.amazon.com/acm/latest/APIReference/API_RevokeCertificate.html) API action to revoke an ACM public or private certificate. You can retrieve the certificate's ARN by calling the [https://awscli.amazonaws.com/v2/documentation/api/latest/reference/acm/list-certificates.html](https://awscli.amazonaws.com/v2/documentation/api/latest/reference/acm/list-certificates.html) command.
```
$ aws acm revoke-certificate \
--certificate-arn arn:aws:acm:us-east-1:111122223333:certificate/12345678-1234-1234-1234 \
--revocation-reason "UNSPECIFIED"
```
**Warning**
After a certificate is revoked, you cannot reuse the certificate. Revoking a certificate is permanent.
The following would be the output for the `revoke-certificate` command.
```
arn:aws:acm:us-east-1:111122223333:certificate/12345678-1234-1234-1234
```
# Configure automatic renewal events
With AWS Certificate Manager exportable public certificates and Amazon EventBridge, you can configure automatic certificate renewals events.
1. Set up an Amazon EventBridge event to monitor certificate renewals. For more information, see [Amazon EventBridge support for ACM](https://docs.aws.amazon.com//acm/latest/userguide/cloudwatch-events.html).
1. Create automation to handle certificate deployment when renewals occur. For more information, see [Initiating actions with Amazon EventBridge in ACM](example-actions.md).
1. Configure EventBridge events to alert you of any renewal or deployment failures.
# Force certificate renewal
You can renew your ACM public and private certificates with the ACM console, [renew-certificate](https://awscli.amazonaws.com/v2/documentation/api/latest/reference/acm/renew-certificate.html) AWS CLI, or [https://docs.aws.amazon.com/acm/latest/APIReference/API_RenewCertificate.html](https://docs.aws.amazon.com/acm/latest/APIReference/API_RenewCertificate.html) API action. You can only renew certificates that have been previously exported.
**Important**
When you renew an ACM exportable public certificates, you're charged an additional fee. For the latest ACM pricing information, see the [AWS Certificate Manager Service Pricing](https://aws.amazon.com//certificate-manager/pricing/) page on the AWS website.
## Renew a certificate (console)
The following procedure walks you through how you can force the renewal of an ACM public or private certificate.
1. Sign in to the AWS Management Console and open the ACM console at [https://console.aws.amazon.com/acm/](https://console.aws.amazon.com/acm/).
1. Choose **List certificates** and select the checkbox of the certificate you want to renew.
1. Alternatively, you can select the certificate. In the certificate detail page, select **Renew**.
1. Choose **More actions** and then choose **Renew**.
1. A dialog box appears where you must enter **renew**and then choose **Renew**.
## Renew a certificate (AWS CLI)
Use the [https://awscli.amazonaws.com/v2/documentation/api/latest/reference/acm/renew-certificate.html](https://awscli.amazonaws.com/v2/documentation/api/latest/reference/acm/renew-certificate.html) AWS CLI command or [https://docs.aws.amazon.com/acm/latest/APIReference/API_RenewCertificate.html](https://docs.aws.amazon.com/acm/latest/APIReference/API_RenewCertificate.html) API action to renew an ACM public or private certificate. You can retrieve the certificate's ARN by calling the [https://awscli.amazonaws.com/v2/documentation/api/latest/reference/acm/list-certificates.html](https://awscli.amazonaws.com/v2/documentation/api/latest/reference/acm/list-certificates.html) command. The `renew-certificate` command does not return a response.
```
$ aws acm renew-certificate \
--certificate-arn arn:aws:acm:us-east-1:111122223333:certificate/12345678-1234-1234-1234-123456789012
```