AWS Certificate Manager (ACM) 现已支持导出公有 SSL/TLS 证书，并附带私钥，方便用户在 Amazon EC2 实例、容器或本地主机上使用。用户可以在 ACM 控制台中请求并启用导出功能，通过 AWS CLI 命令行工具进行操作。导出的证书有效期为 395 天，并由 Amazon Trust Services 颁发，广泛受到主流平台和浏览器的信任。

🔑 **导出流程：** 在 ACM 控制台中，用户首先需要请求一个新的可导出公有证书，并在请求时启用导出功能。此外，也可以通过 AWS CLI 的 request-certificate 命令来请求，并设置 Export=ENABLED 选项。

✅ **证书验证：** 请求公有证书后，用户需要验证其对域名的所有权，以证明其控制权。证书通常在域名验证成功后几秒钟内颁发。

📤 **证书导出：** 当证书状态变为“已颁发”后，用户可以选择“导出”来导出其公有证书。导出过程中，需要为私钥设置密码，并生成 PEM 编码。

💡 **应用场景：** 导出的公有证书可用于任何需要 SSL/TLS 通信的工作负载，例如 Amazon EC2 实例。用户可以通过配置 SSL/TLS 来实现安全通信。

⚠️ **注意事项：** 管理员可以设置 AWS IAM 策略来授权角色和用户请求可导出公有证书。 此外，需要保护导出的私钥，并注意证书的吊销和续订。

<section class="blog-post-content lb-rtxt"><table id="amazon-polly-audio-table"><tbody><tr><td id="amazon-polly-audio-tab"><p></p></td></tr></tbody></table><p>Today, we’re announcing exportable public SSL/TLS certificates from <a href="https://aws.amazon.com/certificate-manager/&quot;&gt;AWS Certificate Manager (ACM)</a>. Prior to this launch, you can <a href="https://docs.aws.amazon.com/acm/latest/userguide/acm-public-certificates.html&quot;&gt;issue your public certificates</a> or <a href="https://docs.aws.amazon.com/acm/latest/userguide/import-certificate.html&quot;&gt;import certificates</a> issued by third-party certificate authorities (CAs) at no additional cost, and deploy them with integrated AWS services such as <a href="https://aws.amazon.com/elasticloadbalancing/&quot;&gt;Elastic Load Balancing (ELB)</a>, <a href="https://aws.amazon.com/cloudfront&quot;&gt;Amazon CloudFront</a> distribution, and <a href="https://aws.amazon.com/api-gateway&quot;&gt;Amazon API Gateway</a>.</p><p>Now you can export public certificates from ACM, get access to the private keys, and use them on any workloads running on <a href="https://aws.amazon.com/ec2&quot;&gt;Amazon Elastic Compute Cloud (Amazon EC2)</a> instances, containers, or on-premises hosts. The exportable public certificate are valid for 395 days. There is a charge at time of issuance, and again at time of renewal. Public certificates exported from ACM are issued by <a href="https://www.amazontrust.com/repository/&quot;&gt;Amazon Trust Services</a> and are widely trusted by commonly used platforms such as Apple and Microsoft and popular web browsers such as Google Chrome and Mozilla Firefox.</p><p><strong class="c5">ACM exportable public certificates in action</strong><br />To export a public certificate, you first request a new exportable public certificate. You cannot export previously created public certificates.</p><p>To get started, choose <strong>Request certificate</strong> in the <a href="https://console.aws.amazon.com/acm/home#/certificates/request&quot;&gt;ACM console</a> and choose <strong>Enable export</strong> in the <strong>Allow export</strong> section. If you select <strong>Disable export</strong>, the private key for this certificate will be disallowed for exporting from ACM and this cannot be changed after certificate issuance.</p><p><img class="aligncenter wp-image-97154 size-full c6" src="https://d2908q01vomqb2.cloudfront.net/da4b9237bacccdf19c0760cab7aec4a8359010b0/2025/06/12/2025-acm-exportable-certificates-1-create.jpg&quot; alt="" width="2166" height="1077" /></p><p>You can also use the <code>request-certificate</code> command to request a public exportable certificate with <code>Export=ENABLED</code> option on the <a href="https://aws.amazon.com/cli/&quot;&gt;AWS Command Line Interface (AWS CLI)</a>.</p><pre class="lang-bash">aws acm request-certificate --domain-name mydomain.com --key-algorithm EC_Prime256v1 --validation-method DNS --idempotency-token &lt;token&gt; --options \CertificateTransparencyLoggingPreference=DISABLED \Export=ENABLED</pre><p>After you request the public certificate, you must validate your domain name to prove that you own or control the domain for which you are requesting the certificate. The certificate is typically issued within seconds after successful domain validation.</p><p>When the certificate enters status <strong>Issued</strong>, you can export your issued public certificate by choosing <strong>Export</strong>.</p><p><img class="aligncenter size-full wp-image-96962 c6" src="https://d2908q01vomqb2.cloudfront.net/da4b9237bacccdf19c0760cab7aec4a8359010b0/2025/06/08/2025-acm-exportable-certificates-2-export.jpg&quot; alt="Export your public certificate" width="2312" height="1236" /></p><p>Enter a passphrase for encrypting the private key. You will need the passphrase later to decrypt the private key. To get the public key, Choose <strong>Generate PEM Encoding</strong>.</p><p><img class="aligncenter wp-image-97245 size-full c7" src="https://d2908q01vomqb2.cloudfront.net/da4b9237bacccdf19c0760cab7aec4a8359010b0/2025/06/16/2025-acm-exportable-certificates-3-export.png&quot; alt="" width="2013" height="1539" /></p><p>You can copy the PEM encoded certificate, certificate chain, and private key or download each to a separate file.</p><p><img class="aligncenter size-full wp-image-96964 c7" src="https://d2908q01vomqb2.cloudfront.net/da4b9237bacccdf19c0760cab7aec4a8359010b0/2025/06/08/2025-acm-exportable-certificates-4-download-PEM-keys.jpg&quot; alt="Download PEM keys" width="2018" height="956" /></p><p>You can use the <code class="code">export-certificate</code> command to export a public certificate and private key. For added security, use a file editor to store your passphrase and output keys to a file to prevent being stored in the command history.</p><pre class="lang-bash">aws acm export-certificate \ --certificate-arn arn:aws:acm:us-east-1:&lt;accountID&gt;:certificate/&lt;certificateID&gt; \ --passphrase fileb://path-to-passphrase-file \ | jq -r '"(.Certificate)(.CertificateChain)(.PrivateKey)"' \ &gt; /tmp/export.txt</pre><p>You can now use the exported public certificates for any workload that requires SSL/TLS communication such as Amazon EC2 instances. To learn more, visit <a href="https://docs.aws.amazon.com/linux/al2/ug/SSL-on-amazon-linux-2.html&quot;&gt;Configure SSL/TLS on Amazon Linux</a> in your EC2 instances.</p><p><strong class="c5">Things to know</strong><br />Here are a couple of things to know about exportable public certificates:</p><ul><li><strong>Key security</strong> – An administrator of your organization can set AWS IAM policies to authorize roles and users who can request exportable public certificates. ACM users who have current rights to issue a certificate will automatically get rights to issue an exportable certificate. ACM admins can also manage the certificates and take actions such as revoking or deleting the certificates. You should protect exported private keys using secure storage and access controls.</li><li><strong>Revocation</strong> – You may need to revoke exportable public certificates to comply with your organization’s policies or mitigate key compromise. You can only revoke the certificates that were previously exported. The certificate revocation process is global and permanent. Once revoked, you can’t retrieve revoked certificates to reuse. To learn more, visit <a href="http://docs.aws.amazon.com/acm/latest/userguide/revoke-certificate.html&quot;&gt;Revoke a public certificate</a> in the AWS documentation.</li><li><strong>Renewal</strong> – You can configure automatic renewal events for exportable public certificates by <a href="https://aws.amazon.com/eventbridge/&quot;&gt;Amazon EventBridge</a> to monitor certificate renewals and create automation to handle certificate deployment when renewals occur. To learn more, visit <a href="https://docs.aws.amazon.com/acm/latest/userguide/cloudwatch-events.html&quot;&gt;Using Amazon EventBridge</a> in the AWS documentation. You can also renew these certificates on-demand. When you renew the certificates, you’re charged for a new certificate issuance. To learn more, visit <a href="http://docs.aws.amazon.com/acm/latest/userguide/force-certificate-renewal.html&quot;&gt;Force certificate renewal</a> in the AWS documentation.</li></ul><p><strong class="c5">Now available</strong><br />You can now issue exportable public certificates from ACM and export the certificate with the private keys to use other compute workloads as well as ELB, Amazon CloudFront, and Amazon API Gateway.</p><p>You are subject to additional charges for an exportable public certificate when you create it with ACM. It costs $15 per fully qualified domain name and $149 per wildcard domain name. You only pay once during the lifetime of the certificate and will be charged again only when the certificate renews. To learn more, visit the <a href="https://aws.amazon.com/certificate-manager/pricing/&quot; target="_blank" rel="noopener noreferrer">AWS Certificate Manager Service Pricing</a> page.</p><p>Give ACM exportable public certificates a try in the <a href="https://console.aws.amazon.com/acm/home#/certificates/request&quot;&gt;ACM console</a>. To learn more, visit the <a href="https://docs.aws.amazon.com/acm/latest/userguide/gs-acm-request-public.html&quot;&gt;ACM documentation page</a> and send feedback to <a href="https://repost.aws/tags/TAJ7zd4vjzSfC_8JNlsbq2tA/aws-certificate-manager&quot;&gt;AWS re:Post for ACM</a> or through your usual AWS Support contacts.</p><p>— <a href="https://twitter.com/channyun&quot;&gt;Channy&lt;/a&gt;&lt;/p&gt;&lt;/section&gt;&lt;aside id="Comments" class="blog-comments"><div data-lb-comp="aws-blog:cosmic-comments" data-env="prod" data-content-id="cafe7587-ae38-4358-8c9d-f3b2e53d2d53" data-title="AWS Certificate Manager introduces exportable public SSL/TLS certificates to use anywhere" data-url="https://aws.amazon.com/blogs/aws/aws-certificate-manager-introduces-exportable-public-ssl-tls-certificates-to-use-anywhere/&quot;&gt;&lt;p data-failed-message="Comments cannot be loaded… Please refresh and try again.">Loading comments…</p></div></aside>