- Newest
- Most votes
- Most comments
I'm not working for AWS and don't speak for them, but based on general professional experience, I'd guess that one of the main reasons why the type or size can't be changed (whether using ACM-issued or imported certificates) is that the many services that use the certificates, such as load balancers or CloudFront distributions, probably require being notified and consulted on the certificate type changing. That might involve the target service confirming that it supports the new key type/size, that service-specific quotas aren't exceeded, that any restrictions that might be applied via IAM policies are properly enforced, and any number of other potential considerations.
For example, you could conceivably have your own custom IAM policy that would require that certificates developers associate with their load balancers or API Gateways meet certain type and size requirements. If ACM allowed the certificate to be changed to a different type in place, that check done by the ELB or API Gateway services would get silently bypassed, directly conflicting with the option of applying such policy-based enforcements in an integrated service.
As you discovered, you'll have to create new certificates either issued by ACM or imported from an external CA and tell the associated services, such as load balancers and CloudFront distributions, to switch to the new certificates. You can see in each certificate's properties in ACM which services are using it.
Relevant content
- asked 10 months ago
- asked 2 years ago
- asked a year ago
- AWS OFFICIALUpdated 3 months ago
- AWS OFFICIALUpdated 5 months ago
- AWS OFFICIALUpdated 5 months ago
- AWS OFFICIALUpdated 2 days ago