Documentation: AWS ACM Certificate Auto-Renewal Policy (Unused Certificates)
Context:
We recently audited the AWS Certificate Manager (ACM) dashboard for our domain *.pathonai.org and observed that the SSL/TLS certificate was marked with a status of Renewal eligibility: Ineligible shortly before expiration.
This documentation serves to clarify why this occurs and establish best practices for managing SSL certificates in our AWS infrastructure, particularly for open-source domains that may not be permanently bound to active compute resources.
The AWS ACM Policy (Why it happens):
AWS provides free public SSL/TLS certificates via ACM. However, to prevent abuse and manage resources, AWS enforces a strict automatic renewal policy:
- Active Certificates (
In use: Yes): If a certificate is attached to an active AWS resource (e.g., an Application Load Balancer, API Gateway, or CloudFront distribution) and the DNS CNAME validation record is present, ACM will automatically renew the certificate 60 days before expiration.
- Idle Certificates (
In use: No): If a certificate is provisioned but sits idle in the account without being bound to any active AWS resource, ACM immediately flags it as Ineligible for automatic renewal. AWS will intentionally allow the certificate to expire.
Actionable Guidelines for the Team:
- Do not panic on
Ineligible warnings: If you see an expiration warning for a certificate that is In use: No, this is expected AWS behavior. No active services or endpoints will experience downtime because the certificate is not actively serving traffic.
- Delete idle certificates: To keep the ACM dashboard clean, it is best practice to manually delete certificates that are no longer attached to infrastructure.
- Provision Just-in-Time: Because AWS issues ACM certificates instantly and for free, there is no need to "hoard" or pre-provision certificates months in advance. Only request a new certificate for
*.pathonai.org when you are actively deploying the CloudFront distribution or Load Balancer that will consume it.
Documentation: AWS ACM Certificate Auto-Renewal Policy (Unused Certificates)
Context:
We recently audited the AWS Certificate Manager (ACM) dashboard for our domain
*.pathonai.organd observed that the SSL/TLS certificate was marked with a status ofRenewal eligibility: Ineligibleshortly before expiration.This documentation serves to clarify why this occurs and establish best practices for managing SSL certificates in our AWS infrastructure, particularly for open-source domains that may not be permanently bound to active compute resources.
The AWS ACM Policy (Why it happens):
AWS provides free public SSL/TLS certificates via ACM. However, to prevent abuse and manage resources, AWS enforces a strict automatic renewal policy:
In use: Yes): If a certificate is attached to an active AWS resource (e.g., an Application Load Balancer, API Gateway, or CloudFront distribution) and the DNS CNAME validation record is present, ACM will automatically renew the certificate 60 days before expiration.In use: No): If a certificate is provisioned but sits idle in the account without being bound to any active AWS resource, ACM immediately flags it asIneligiblefor automatic renewal. AWS will intentionally allow the certificate to expire.Actionable Guidelines for the Team:
Ineligiblewarnings: If you see an expiration warning for a certificate that isIn use: No, this is expected AWS behavior. No active services or endpoints will experience downtime because the certificate is not actively serving traffic.*.pathonai.orgwhen you are actively deploying the CloudFront distribution or Load Balancer that will consume it.