AWS Certificate Manager Limitations

Key Takeaways

• The key limitations of AWS Certificate Manager are its lack of private key export for free public certificates, limited automation capabilities, fragmented visibility, high AWS private CA costs, the absence of built-in compliance reporting features, region-specific management, and vendor exclusivity.
• Non-AWS workflows may require enterprises to rely on manual processes because ACM only offers automation to AWS-integrated services.
• ACM’s scoped certificate inventory and management causes a visibility gap that continues to broaden as organizations extend beyond a single cloud service provider.
• Organizations that aim to assess their certificate management system should start by mapping out their entire certificate infrastructure to know what to prioritize.
• Crypto-agility, smart discovery, PQC-readiness, and a platform-agnostic approach are the building blocks of an effective certificate management strategy.

Where does ACM fit?

AWS Certificate Manager (ACM) has earned its reputation as a dynamic, cost-effective tool for professionals working with AWS ecosystems. It is favored by teams because it provides free public SSL/ TLS certificates along with auto-renewals for integrated services (Elastic Load Balancing, Amazon CloudFront, and API Gateway). ACM ensures seamless certificate operations by eliminating any friction from the provisioning process.

However, challenges arise when enterprises move beyond single-cloud infrastructures. In fact, Flexera’s State of the Cloud Report discovered that around 89% of enterprises have adopted multi-cloud solutions. On the other hand, Gartner projects that over 90% of organizations will be leveraging hybrid cloud systems by 2027. Given the numbers, it’s clear that a certificate management tool that can only handle one cloud provider at a time simply won’t cut it in today’s cybersecurity landscape.

Perhaps now you are wondering, “Will ACM work for my organization?” With this article, we will walk you through everything you need to know about AWS Certificate Manager to help you determine whether it will enhance your security system or leave operational gaps.

5 Limitations of AWS Certificate Manager

Although it offers key certification automations, there are a few things about ACM that you may want to consider before integrating it into your certificate environment:

Private Key Export Is Unavailable for ACM’s Free Public Certificates

As we mentioned earlier, ACM issues free public certificates. By default, the private keys of these standard, default public certificates are structurally locked within AWS. Meaning: the private keys cannot be exported, and the certificates can only be deployed directly onto integrated, ACM-specific AWS services (such as Application Load Balancers, Amazon CloudFront, or Amazon API Gateway).

Teams running hybrid environments are often forced to maintain parallel certificate management workflows, increasing operational complexity and the risk of inconsistency. If your security infrastructure includes on-premises servers, third-party Content Delivery Networks (CDNs), or workloads on competing cloud providers, ACM’s free certificates cannot be used at those endpoints.

To bridge this gap, AWS has introduced Exportable Public Certificates, which allow you to securely export the private key and deploy the certificate anywhere outside of AWS. However, this flexibility comes at a cost: $7 per FQDN and $79 per wildcard name (e.g., *.yourdomain.com) upon issuance, with the same fees applying at every renewal.

Given that renewals now occur roughly twice per year as certificate validity now stands at 200 days due to the CA/Browser Forum mandate, the annualized cost effectively doubles to ~$14 per FQDN and ~$158 per wildcard name.

Ultimately, while exportable certificates resolve the technical limitation for hybrid and multi-cloud infrastructure, they fundamentally shift ACM from a zero-cost utility into a recurring paid service for any certificate bound for non-AWS endpoints.

ACM’s native automation does not extend beyond AWS-integrated services

ACM offers strong, reliable automation for AWS-integrated services, including automated renewals and managed deployments. The limitation surfaces when your infrastructure extends beyond that boundary. ACM’s automation does not cover non-AWS endpoints, such as F5 load balancers, NGINX, Apache, Citrix ADC, Kubernetes ingress controllers outside of EKS, or any other non-AWS compute workload. For exportable certificates deployed to these external endpoints, ACM can go as far as triggering renewal notifications via EventBridge, but the actual deployment automation is your responsibility to build and maintain. This will still need separate custom tooling or manual workflows.

This gap is becoming harder to absorb. With the CA/Browser Forum‘s 47-day validity mandate actively shrinking certificate lifespans, renewal volumes are climbing sharply, and any part of your infrastructure that sits outside ACM’s automation boundary will feel that pressure directly. For teams managing a mix of AWS and non-AWS workloads, partial automation is increasingly difficult to sustain.

Fragmented certificate visibility and management across accounts and regions

ACM’s certificate inventory is scoped to a single AWS account and region. For enterprises operating across multiple accounts and regions, there is no native centralized view of the full certificate estate – each account and region must be checked independently. This extends to domain coverage as well: identical domains operating across multiple regions each require their own certificate, independently requested, validated, and monitored, with no cross-region inventory view natively available. In large, distributed AWS environments, certificates can go untracked simply because there is no single place to see them all.

This fragmentation makes it difficult for security teams to maintain consistent oversight, enforce governance policies, identify non-compliant or shadow certificates, and track expiring certificates before they cause outages. Without unified visibility, organizations also cannot effectively prepare for industry-wide cryptographic changes, such as the ongoing post-quantum migration, where knowing exactly what you have deployed, and where, is a prerequisite for any coordinated response.

A platform-agnostic CLM platform, like AVX CLM, with Smart Discovery capabilities, can address this by scanning across cloud accounts, environments, CAs, and Kubernetes clusters to provide a single, consolidated view of your entire certificate estate. It can also centralize discovery, issuance, renewal, and revocation workflows regardless of where certificates are deployed or which CA issued.

No built-in compliance reporting

ACM does not provide dedicated, out-of-the-box compliance reporting for frameworks such as PCI DSS, HIPAA, SOC 2, or DORA. AWS does offer adjacent tools — Security Hub includes pre-built compliance standard mappings that can automatically flag non-compliant ACM certificates, and AWS Artifact provides global compliance reports for AWS services — but none of these constitute a dedicated certificate lifecycle compliance report. Tracking certificate-specific compliance posture, such as algorithm strength, expiry status, policy adherence across accounts, or audit-ready documentation tied to specific certificates, still requires custom tooling or manual assembly. For security and compliance teams that need real-time, certificate-level reporting as a first-class feature, ACM does not provide it natively.

For organizations operating under regulatory scrutiny, this gap compounds over time, particularly as cryptographic requirements evolve and certificate volumes grow. A CLM platform with compliance policy enforcement and reporting features can close this gap by generating audit-ready documentation, enforcing organization-wide PKI policies, and providing complete and real-time visibility into your compliance posture regardless of certificate type and location.

 

Vendor lock-in risk

Leveraging ACM means tying your certificate operations exclusively to AWS, which complicates multi-cloud strategies, cloud migrations, and workload portability. This becomes increasingly consequential as the industry undergoes two converging shifts: the CA/Browser Forum’s phased validity reduction (currently at 200 days and moving toward 47 days by 2029) is driving the need for automated, platform-agnostic certificate lifecycle management at scale; and NIST’s post-quantum cryptography migration timeline requires organizations to deprecate legacy RSA and ECC by 2030 and fully replace them by 2035. Navigating both transitions requires crypto-agility: the ability to swap algorithms, CAs, and deployment targets without dependency on a single platform. That flexibility is difficult to build when your certificate management is architecturally bound to one provider.

ACM feature comparison

Having a clear understanding of the limitations of ACM is crucial to figuring out what features you need to look for in your preferred CLM service. The table below outlines the different ACM capabilities alongside the most common enterprise requirements:

Capability	AWS Certificate Manager	Enterprise Requirement
Public certificate issuance	Free for ACM-integrated services	Across all environments and CAs
Private key export	Not available for free certs; paid export option exists	Required for on-prem and third-party deployments
Automated deployment	ACM-integrated AWS services only	Across all infrastructure, regardless of provider
Multi-cloud visibility	Single account and region only	Unified dashboard across AWS, Azure, GCP, and on-prem
Compliance reporting	Requires custom Config rules or Security Hub	Built-in audit trails for PCI DSS, HIPAA, SOC 2, DORA
Non-AWS infrastructure integration	Not supported natively	Must-have for F5, NGINX, Kubernetes, Citrix, etc.

How do I evaluate CLM platforms?

Once your team has mapped out your entire certificate environment, you can begin evaluating CLM platforms and check which of ACM’s limitations may be an operational speedbump. To start off, you can try answering the following questions to help establish your actual scope:

• How many of your certificates are housed outside AWS-managed services?
• What is your average processing time for manual certificate deployment versus automated deployment?
• How many CAs are you managing, and can you monitor them from a single place?
• Do you have a centralized view of your certificate ecosystem (certificate location, expiration dates,cryptographic compliance status, etc.)?
• Is your organization ready for shorter certificate validity periods and the increased demand for renewals?

When is ACM Sufficient?

To find out if ACM alone can meet your business needs or if you would benefit more from a platform-agnostic approach to certificate lifecycle management, check the table below:

Scenario	ACM Likely Sufficient	Platform-Agnostic Solution Recommended
100% AWS-native workloads, single region	Yes	No
Multi-cloud (AWS + Azure and/or GCP)	No	Yes
Hybrid cloud with a significant on-prem footprint	No	Yes
Fewer than 100 certificates, all on AWS services	Yes	No
1,000+ certificates across multiple CAs and environments	No	Yes
Strict compliance/audit requirements (PCI, HIPAA, SOC 2)	No	Yes
Kubernetes and containerized workloads across multiple clouds	No	Yes
Single team, single AWS account, simple architecture	Yes	No
Preparing for 47-day validity with any non-AWS endpoints	No	Yes

Enhance your certificate management system with AppViewX

A solid certificate infrastructure is one of the cornerstones of an effective security system. It should empower your team to work across any environment, prepare for algorithm shifts, and adapt to regulatory changes without friction. With AppViewX, this can be achieved because:

• You get complete visibility over your certificate posture with the help of CLM Smart Discovery, which can scan across AWS, Azure, GCP, on-premise, Kubernetes, and CT logs in a single dashboard.
• You can automate at scale with its closed-loop automation for certificate provisioning and renewals, reducing the chances of human errors disrupting operations.
• You can future-proof your security posture with its built-in support for PQC readiness, so your team can get ahead of the imminent cryptographic transition.

Do you want your certificate management systems to go beyond the boundaries of ACM? Book a demo with AppViewX now!