Amazon Certificate Manager

Amazon Certificate Manager generates free certificates for TLS with Elastic Load Balancer and CloudFront, and transparently handles rotation and renewal.

When you request a certificate Amazon validate you control the domain by e-mail. For example if you requested a certificate for it attempts to contact:

  • The domain registrant
  • The technical contact
  • The administrative contact


These certificates can only be used with Amazon services - there is no way to obtain the private certificate.

If you already have a certificate that you wish to use with CloudFront or ELB you can upload it with a ServerCertificate.

Creating a certificate

class Certificate

To create a certificate you just need to choose the domain it is for:

certificate = aws.add_acm_certificate(

The domain name to request a certificate for.


By default ACM will e-mail the contacts for your domain - so in the previous example. You can override this:

certificate = aws.add_acm_certificate(
        "domain": "",
        "validation_domain": "",

A list of alternative domain names this cert should be valid for, for example for you might also add