Why is my ACM certificate marked as ineligible for renewal?

Short description

ACM certificates might be ineligible for renewal when any of the following are true:

• The certificate isn't associated with another AWS service.
• The certificate is expired.
• The certificate is imported.
• You used the IssueCertificate API call to issue a private certificate.

Resolution

Use the ACM console or the AWS Command Line Interface (AWS CLI) to list detailed metadata about your certificates. Then, complete the following tasks based on your use case.

Note: If you receive errors when you run AWS CLI commands, then see Troubleshoot AWS CLI errors. Also, make sure that you're using the most recent AWS CLI version.

The certificate isn't associated with another AWS service

You must associate your ACM certificate with another AWS service, such as Elastic Load Balancing.

If the In use? certificate details metadata value is No, then your ACM certificate isn't associated with an AWS service.

For a list of AWS services that ACM supports, see Services integrated with AWS Certificate Manager.

The certificate is expired

Expired certificates aren't eligible for renewal. If the certificate is expired, then request a new certificate. For more information, see Check a certificate's renewal status.

The certificate is imported

ACM doesn't provide managed renewal for imported certificates. To renew an imported certificate, request a new certificate from your certificate issuer. Then, manually reimport the certificate into ACM.

Private certificate issued with the IssueCertificate API call

When you use the AWS Private Certificate Authority IssueCertificate API to issue a private certificate, ACM doesn't manage the renewal.

Before the certificate expires, request a new certificate from your CA. For more information, see Managed renewal for ACM certificates.

Related information

Troubleshooting certificate validation

Issuing and managing certificates