3.4.2.2. Certificates and Public Key Infrastructure (PKI)

3.4.2.2. Certificates and Public Key Infrastructure (PKI)

TLS certificates authenticate your services and encrypt traffic. AWS Certificate Manager (ACM) eliminates manual certificate management.

ACM features:

• Free public certificates: For domains you own, validated via DNS or email
• Automatic renewal: ACM renews certificates before expiration (no manual action)
• Integration: ALB, CloudFront, API Gateway, NLB — attach certificates directly
• Private CA: ACM Private CA issues certificates for internal services (mutual TLS, IoT)

# Request a public certificate
aws acm request-certificate \
  --domain-name "api.example.com" \
  --validation-method DNS \
  --subject-alternative-names "*.example.com"

Certificate deployment pattern:

• ALB: Attach ACM certificate to HTTPS listener. ALB terminates TLS.
• CloudFront: ACM certificate must be in us-east-1 (global requirement)
• EC2 directly: ACM certificates can't be exported — use self-managed certificates or NLB with TLS passthrough

Mutual TLS (mTLS): Both client and server present certificates. API Gateway supports mTLS using ACM Private CA. Use for service-to-service authentication in zero-trust architectures.

Exam Trap: ACM certificates for CloudFront must be in us-east-1, regardless of where your origin is. If you request a certificate in eu-west-1 and try to attach it to CloudFront, it won't appear in the dropdown. This is the most commonly tested ACM fact.