Cloud Key Management Reading Time: 3 minutes

PKI – Amazon Web Services (AWS)

Global Public Cloud market size is expected to reach $488.5 billion by 2026 as per a research study conducted by and there will be a predicted 16% CAGR market growth during the forecasted time period. This triggers the immediate need to shift our focus on “Cloud Security”. Let’s deep dive into the Public Key Infrastructure (PKI) in Amazon Web Services (AWS) Cloud.

Let us understand PKI in AWS:

ACM stands for AWS Certificate Manager. Just like any Certificate Manager, ACM provides convenient options for cloud service users to create, manage and deploy public and private SSL/TLS X.509 certificates and keys. These certificates provide authentication of identity of websites as well as private resources and protection for sensitive data hosted on Amazon Web Services platform. AWS services supported certificates can be provided either by directly issuing with ACM or by importing third party certificates to ACM management system.

Services offered through ACM in AWS:

Amazon provides two options for customers to deploy SSL/TLS X.509 certificates. Depending on the business requirement customers can choose from the below options.

  • ACM Certificate Manager (ACM) : This service is targeted for customers who need secure web existence using TLS certificates. ACM deploys certificates using AWS services – Amazon CloudFront, Elastic Load Balancing, Amazon API Gateway, and other integrated services. Enterprises with secure public website with significant web traffic can prefer this certificate management service
  • ACM Private CA – This service is most suited for small and medium enterprise customers who desire to build their own Public Key Infrastructure (PKI) with in AWS Cloud and projected for private use within the organization. Within private CA users can create their own CA hierarchy and issue certificates for authenticating internal users, applications, services, devices etc.Note : Certificates issued using Private CA cannot be used on internet

ACM Certificate Characteristics:

Public certificates provided by ACM have the characteristics described in this section. These characteristics only apply to certificates provided by ACM and might not apply to certificates imported to ACM:

Serial No. Characteristics
1Domain Validation (DV)ACM Certificates are domain validated. Subject field of an ACM Certificate identifies a domain name. Ownership can be validated using email or DNS
2Validity Period for Certificates13 months
3Managed Renewal and DeploymentAutomatic renewal and provisioning of certificates by ACM
4Browser and Application TrustACM certificates are trusted by all major browsers including Google Chrome, Microsoft Internet Explorer and Microsoft Edge, Mozilla Firefox, and Apple Safari. ACM Certificates are also trusted by Java
5Multiple Domain NamesEach ACM certificate must include one Fully Qualified Domain Name (FQDN) and additional names can be added further
6Wildcard NamesACM allows to use an (*) asterisk in domain name to create an ACM certificate that can protect several sites in the same domain
7AlgorithmsPublic key algorithms supported by ACM:


  • 2048-bit RSA (RSA_2048)
  • 4096-bit RSA (RSA_4096)
  • Elliptic Prime Curve 256 bit (EC_prime256v1)
  • Elliptic Prime Curve 384 bit (EC_secp384r1)

AWS Certificate Manager Pricing:

  1. Public SSL/TLS certificates provisioned through AWS Certificate Manager are free of cost. Customer needs to pay only for AWS resources created to run application/services.
  2. ACM Private CA is priced along two stages
    1. Monthly fee of $400 for each ACM private CA until it is deleted
    2. Customer pays a one-time fee when certificates are issued from ACM Private CA

Please visit Amazon Web Services portal for more details:

If your organization is looking for implementation of AWS Certificate Authority, please consult [email protected] for further information.

Free Downloads

Datasheet of Encryption Consulting Services

Encryption Consulting is a customer focused cybersecurity firm that provides a multitude of services in all aspects of encryption for our clients.


About the Author

Anish Bhattacharya is a Consultant at Encryption Consulting, working with PKIs, HSMs, creating Google Cloud applications, and working as a consultant with high-profile clients.

Explore the full range of services offered by Encryption Consulting.

Feel free to schedule a demo to gain a comprehensive understanding of all the services Encryption Consulting provides.

Request a demo