AWS Certificate Manager now supports exportable SSL certificates
In June 2025, AWS announced a long-awaited update to AWS Certificate Manager (ACM): the ability to request exportable public SSL/TLS certificates. This brings significant flexibility for organisations that want to standardise certificate management through ACM, even beyond the AWS ecosystem.
Previously, ACM-issued certificates were restricted to use with AWS-managed services such as CloudFront, Elastic Load Balancing, and API Gateway. This limitation meant teams with hybrid infrastructure or external dependencies needed to source certificates elsewhere - typically via Let’s Encrypt or commercial certificate authorities.
With this update, AWS has positioned ACM as a viable alternative for managing public-facing certificates across diverse environments.
Key capabilities
Exportable ACM certificates now support:
- Standard domain validation (FQDN or wildcard)
- Private key export in encrypted PEM format
- Full trust chain download, including intermediate certificates
- 13-month validity with managed renewal
- Secure key access, governed by IAM policies and audit logging
These certificates are issued by Amazon Trust Services, rooted in widely trusted certificate chains and recognised across all major browsers and operating systems.
Pricing for AWS ACM exportable certificates
The exportable certificate model is based on charge per domain, applied at issuance and renewal:
| Certificate type | Price per renewal cycle |
|---|---|
Fully Qualified Domain (example.com or api.example.com) |
$15 per domain |
Wildcard Domain (*.example.com) |
$149 |
This pricing structure makes ACM cost-effective for environments with a modest number of domains, while wildcard certificates are well-suited for large-scale or subdomain-heavy deployments.
However, bear in mind that for a typical website, you might want to run the www subdomain and the non-www version (with a redirect from one to the other), so that's two FQDN's and a base price of $30.
Also, the wildcard cert doesn't include the apex domain (example.com) so that's $15 on top of the $149 if you need the apex and all subdomains.
But, the prices are comparible to other commercial TLS certificate issuers and the ease of use through the ACM API and AWS SDK ecosystem brings additional value.
Practical applications
This enhancement is particularly beneficial for:
- Hybrid infrastructure: Use the same certs across on-prem, AWS, and other cloud providers.
- Self-managed environments or legacy apps not integrated with ACM : apps running on EC2 or containers that don't use ALB or CloudFront but still need HTTPS - now you can issue certs centrally with ACM.
- Third-party systems: Apply ACM-managed certificates to external CDNs, proxies, or hosted platforms that support manual certificate upload.
By consolidating certificate management under ACM, organisations can reduce operational risk, improve renewal workflows, and ensure consistent security policies.
Considerations
Exportable certificates must be requested specifically as exportable - standard ACM certificates remain non-exportable and limited to AWS services.
The certificate, trust chain and private key are retrievable through secure, authenticated API requests and - making it suitable for controlled use in CI/CD pipelines or deployment workflows where certificates need to be programmatically rotated and deployed.
Managed renewal requires re-exporting the new certificate upon renewal, which can be automated using the ACM API.
Conclusion
This is a significant step forward for ACM, making it a practical certificate authority not just for AWS-native workloads but for the broader infrastructure landscape. It offers teams a consistent, secure, and reliable way to issue and manage SSL/TLS certificates across environments, while remaining under AWS governance and audit controls.
If you're exploring a more unified approach to certificate management - especially as part of a broader AWS migration or infrastructure modernisation - this new capability may come in handy.
