AWS Security ChangesHomeSearch

AWS acm documentation change

Service: acm · 2025-06-19 · Documentation medium

File: acm/latest/userguide/acm-public-certificates.md

Summary

Added documentation about exportable public certificates, including differences between regular and exportable certificates, export process, revocation, and renewal events. Added 'Enable export' option during certificate request and updated CLI parameters.

Security assessment

The changes introduce exportable certificates with private key access, which has security implications for key management. However, there's no evidence this addresses an existing vulnerability - rather it documents a new capability. The note about pre-June 2025 certificates not being exportable suggests a policy change but not a security fix.

Diff

diff --git a/acm/latest/userguide/acm-public-certificates.md b/acm/latest/userguide/acm-public-certificates.md
index 3e99e399f..3ee78fe01 100644
--- a//acm/latest/userguide/acm-public-certificates.md
+++ b//acm/latest/userguide/acm-public-certificates.md
@@ -9 +9,19 @@ Request a public certificate using the consoleRequest a public certificate using
-The following sections discuss how to use the ACM console or AWS CLI to request a public ACM certificate.
+You can request AWS Certificate Manager public certificates from the ACM console, AWS CLI, or API. You can use these certificates with integrated AWS services or export them for use outside of AWS Cloud.
+
+The following list describes the differences between public certificates and exportable public certificates.
+
+**Public certificates**
+    
+
+Use ACM public certificates with integrated AWS services like Elastic Load Balancing, Amazon CloudFront, and Amazon API Gateway. For more information, see [Services integrated with ACM](./acm-services.html).
+
+###### Note
+
+ACM public certificates created prior to June 17, 2025 cannot be exported.
+
+**Exportable public certificates**
+    
+
+Exportable public certificates work with integrated AWS services and can also be used outside AWS Cloud. For more information, see [AWS Certificate Manager exportable public certificates](./acm-exportable-certificates.html) and [Services integrated with ACM](./acm-services.html). You must create a new ACM public certificate and enable exportable to be able to export the public certificate. 
+
+The following sections discuss how to request, export, and revoke a public ACM certificate.
@@ -16,0 +35,10 @@ The following sections discuss how to use the ACM console or AWS CLI to request
+  * [AWS Certificate Manager exportable public certificates](./acm-exportable-certificates.html)
+
+  * [Export an AWS Certificate Manager public certificate](./export-public-certificate.html)
+
+  * [Revoke an AWS Certificate Manager public certificate](./revoke-certificate.html)
+
+  * [Configure automatic renewal events](./configure-auto-renewals-events.html)
+
+  * [Force certificate renewal](./force-certificate-renewal.html)
+
@@ -30 +58 @@ Choose **Request a certificate**.
-You can use a fully qualified domain name (FQDN), such as `www.example.com`, or a bare or apex domain name such as `example.com`. You can also use an asterisk (`*`) as a wild card in the leftmost position to protect several site names in the same domain. For example, `*.example.com` protects `corp.example.com`, and `images.example.com`. The wild-card name will appear in the **Subject** field and in the **Subject Alternative Name** extension of the ACM certificate. 
+You can use a fully qualified domain name (FQDN), such as `www.example.com`, or a bare or apex domain name such as `example.com`. You can also use an asterisk (`*`) as a wild card in the leftmost position to protect several site names in the same domain. For example, `*.example.com` protects `corp.example.com`, and `images.example.com`. The wildcard name will appear in the **Subject** field and in the **Subject Alternative Name** extension of the ACM certificate. 
@@ -32 +60 @@ You can use a fully qualified domain name (FQDN), such as `www.example.com`, or
-When you request a wild-card certificate, the asterisk (`*`) must be in the leftmost position of the domain name and can protect only one subdomain level. For example, `*.example.com` can protect `login.example.com`, and `test.example.com`, but it cannot protect `test.login.example.com`. Also note that `*.example.com` protects _only_ the subdomains of `example.com`, it does not protect the bare or apex domain (`example.com`). To protect both, see the next step.
+When you request a wildcard certificate, the asterisk (`*`) must be in the leftmost position of the domain name and can protect only one subdomain level. For example, `*.example.com` can protect `login.example.com`, and `test.example.com`, but it cannot protect `test.login.example.com`. Also note that `*.example.com` protects _only_ the subdomains of `example.com`, it does not protect the bare or apex domain (`example.com`). To protect both, see the next step.
@@ -38 +66,3 @@ In compliance with [RFC 5280](https://datatracker.ietf.org/doc/html/rfc5280), th
-To add another name, choose **Add another name to this certificate** and type the name in the text box. This is useful for protecting both a bare or apex domain (such as `example.com`) and its subdomains such as `*.example.com`).
+    1. To add another name, choose **Add another name to this certificate** and type the name in the text box. This is useful for protecting both a bare or apex domain (such as `example.com`) and its subdomains such as `*.example.com`).
+
+  3. If you want to create an ACM exportable public certificates, select the **Enable export** option. You'll be able to access the certificate's private keys and use it outside AWS Cloud. For more information, see [AWS Certificate Manager exportable public certificates](./acm-exportable-certificates.html).
@@ -40 +70 @@ To add another name, choose **Add another name to this certificate** and type th
-  3. In the **Validation method** section, choose either **DNS validation – recommended** or **Email validation** , depending on your needs.
+  4. In the **Validation method** section, choose either **DNS validation – recommended** or **Email validation** , depending on your needs.
@@ -48 +78 @@ Before ACM issues a certificate, it validates that you own or control the domain
-If you choose email validation, ACM sends validation email to the domain that you specify in the domain name field. If you specify a validation domain, ACM sends the email to that validation domain instead. For more information about email validation, see [AWS Certificate Manager email validation](./email-validation.html).
+    1. If you choose email validation, ACM sends validation email to the domain that you specify in the domain name field. If you specify a validation domain, ACM sends the email to that validation domain instead. For more information about email validation, see [AWS Certificate Manager email validation](./email-validation.html).
@@ -50 +80 @@ If you choose email validation, ACM sends validation email to the domain that yo
-If you use DNS validation, you simply add a CNAME record provided by ACM to your DNS configuration. For more information about DNS validation, see [AWS Certificate Manager DNS validation](./dns-validation.html).
+    2. If you use DNS validation, you simply add a CNAME record provided by ACM to your DNS configuration. For more information about DNS validation, see [AWS Certificate Manager DNS validation](./dns-validation.html).
@@ -52 +82 @@ If you use DNS validation, you simply add a CNAME record provided by ACM to your
-  4. In the **Key algorithm** section, chose an algorithm.
+  5. In the **Key algorithm** section, choose an algorithm.
@@ -54 +84 @@ If you use DNS validation, you simply add a CNAME record provided by ACM to your
-  5. In the **Tags** page, you can optionally tag your certificate. Tags are key-value pairs that serve as metadata for identifying and organizing AWS resources. For a list of ACM tag parameters and for instructions on how to add tags to certificates after creation, see [Tag AWS Certificate Manager resources](./tags.html). 
+  6. In the **Tags** page, you can optionally tag your certificate. Tags are key-value pairs that serve as metadata for identifying and organizing AWS resources. For a list of ACM tag parameters and for instructions on how to add tags to certificates after creation, see [Tag AWS Certificate Manager resources](./tags.html). 
@@ -58 +88 @@ When you finish adding tags, choose **Request**.
-  6. After the request is processed, the console returns you to your certificate list, where information about the new certificate is displayed.
+  7. After the request is processed, the console returns you to your certificate list, where information about the new certificate is displayed.
@@ -79 +109 @@ Use the [request-certificate](https://docs.aws.amazon.com/cli/latest/reference/a
-    --options CertificateTransparencyLoggingPreference=DISABLED
+    --options CertificateTransparencyLoggingPreference=DISABLED Export=ENABLED
@@ -96 +126 @@ Characteristics and limitations
-Validate domain ownership
+Exportable public certificates