AWS Certificate Manager

Name: AWS Certificate Manager API
Brand: AWS Certificate Manager
Availability: InStock

★ Only Publicly Available SpecSecuritySecrets ManagementapiKey15 EndpointsREST

For Agents

Provision, list, import, and delete SSL/TLS certificates for AWS resources, and manage tags and account-level configuration through 15 ACM operations.

Quickstart

Get started with AWS Certificate Manager in minutes using your preferred integration method.

# Add to your MCP client config (Claude Desktop, Cursor, Windsurf)
{
  "jentic": {
    "url": "https://api.jentic.com/mcp",
    "auth": "oauth"
  }
}

# Then ask your agent:
"request a public ssl certificate"

# → Jentic returns the GET /events tool with parameter schema, agent executes.

Capabilities

What an agent can do with AWS Certificate Manager API.

Request public ACM certificates for one or more domain names with DNS or email validation

Import third-party certificates into ACM so they can be deployed onto AWS load balancers and CloudFront

List and describe issued certificates with their domain coverage, validation state, and expiry

Export private certificates from ACM Private CA in PEM format with passphrase protection

GET STARTED

Start building with AWS Certificate Manager API

Explore with Jentic

View OpenAPI Spec

Jentic publishes the only available OpenAPI specification for AWS Certificate Manager, keeping it validated and agent-ready.

Jentic publishes the only available OpenAPI specification for AWS Certificate Manager, keeping it validated and agent-ready. AWS Certificate Manager (ACM) provisions, manages, and deploys SSL/TLS certificates for AWS resources such as Elastic Load Balancers, CloudFront distributions, and API Gateway endpoints. The API exposes 15 operations covering certificate request, import, listing, deletion, tagging, and account-level configuration, so platform teams can automate certificate lifecycle and avoid expiry-related outages.

Use Cases

Patterns agents use AWS Certificate Manager API for, with concrete tasks.

★ Automate Public Certificate Issuance

Platform teams use ACM to issue and renew public SSL/TLS certificates for production domains without manual intervention. The RequestCertificate operation creates a new certificate for the requested domain names, and ACM auto-renews validated public certificates before expiry. Combining DNS validation with Route 53 means the entire issuance flow can be automated end to end in a few seconds, with renewal handled silently behind the scenes.

Call RequestCertificate with DomainName=api.example.com and ValidationMethod=DNS, then poll DescribeCertificate until Status is ISSUED

Certificate Inventory and Expiry Monitoring

Security teams use ListCertificates and DescribeCertificate to maintain an inventory of issued and imported certificates, surfacing those approaching expiry. ACM tags returned by ListTagsForCertificate let the inventory be filtered by environment or owner so notifications can be routed to the right team well before an outage risk.

Call ListCertificates, then DescribeCertificate for each ARN, and report any certificate with NotAfter within the next 30 days

Import Third-Party Certificates

Teams using a non-Amazon certificate authority use ImportCertificate to bring an externally issued PEM certificate, private key, and chain into ACM so it can be deployed onto AWS load balancers and CloudFront. Reissuance from the third party is followed by another ImportCertificate call against the same ARN, which keeps existing AWS resources bound to the same certificate identity.

Call ImportCertificate with Certificate, PrivateKey, and CertificateChain in PEM format, then attach the returned ARN to a load balancer listener

AI Agent Certificate Operator

An AI agent invoked through Jentic operates ACM as part of a wider deploy workflow: it requests a certificate for a new domain, validates it via DNS, and reports the resulting ARN back to a deploy pipeline. The agent searches Jentic for the request-certificate operation, loads its schema, and executes calls without needing to handle SigV4 signing manually.

Search Jentic for request a public ssl certificate, load the RequestCertificate operation, execute it for the target domain, and return the ARN

Key Endpoints

15 endpoints — jentic publishes the only available openapi specification for aws certificate manager, keeping it validated and agent-ready.

METHOD

PATH

DESCRIPTION

POST

/#X-Amz-Target=CertificateManager.RequestCertificate

Request a new public ACM certificate for one or more domains

POST

/#X-Amz-Target=CertificateManager.ListCertificates

List certificates in the account

POST

/#X-Amz-Target=CertificateManager.DescribeCertificate

Get detailed metadata for a certificate by ARN

POST

/#X-Amz-Target=CertificateManager.ImportCertificate

Import a third-party certificate into ACM

POST

/#X-Amz-Target=CertificateManager.DeleteCertificate

Delete a certificate that is not associated with any AWS resource

POST

/#X-Amz-Target=CertificateManager.ExportCertificate

Export a private certificate including its private key in PEM format

POST

/#X-Amz-Target=CertificateManager.RequestCertificate

Request a new public ACM certificate for one or more domains

POST

/#X-Amz-Target=CertificateManager.ListCertificates

List certificates in the account

POST

/#X-Amz-Target=CertificateManager.DescribeCertificate

Get detailed metadata for a certificate by ARN

POST

/#X-Amz-Target=CertificateManager.ImportCertificate

Import a third-party certificate into ACM

POST

/#X-Amz-Target=CertificateManager.DeleteCertificate

Delete a certificate that is not associated with any AWS resource

Why though Jentic?

Three things that make agents converge on Jentic-routed access.

Credential isolation

AWS access key id and secret access key for ACM are stored encrypted in the Jentic vault. Jentic performs SigV4 signing server side and supports temporary STS credentials, so the agent never sees the raw secret access key.

Intent-based discovery

Agents search Jentic with phrases like request an ssl certificate or list certificates, and Jentic returns the matching ACM operation with its input schema, so the agent does not have to know the X-Amz-Target operation name format.

Time to first call

Direct integration: 2 to 3 days for SigV4 signing, retry logic, and IAM policy scoping. Through Jentic: under 1 hour — search, load schema, execute.

Related APIs

Alternatives and complements available in the Jentic catalogue.

Complementary

Amazon API Gateway

API Gateway custom domain names use ACM certificates for TLS termination

Use API Gateway after ACM when the agent needs to attach a freshly issued certificate to a custom domain on a REST or HTTP API.

Complementary

Amazon Route 53

Route 53 hosts the DNS records used by ACM for DNS-based domain validation

Use Route 53 alongside ACM when DNS validation records need to be created automatically as part of certificate issuance.

Alternative

Cloudflare

Cloudflare provides its own certificate issuance and management for resources fronted by Cloudflare

Choose Cloudflare's certificate API when the asset is fronted by Cloudflare instead of AWS; choose ACM when the asset terminates TLS on AWS Elastic Load Balancing, CloudFront, or API Gateway.

FAQs

Specific to using AWS Certificate Manager API through Jentic.

Why is there no official OpenAPI spec for AWS Certificate Manager?

AWS does not publish an OpenAPI specification for ACM; the official surface is the AWS SDKs and the Smithy model behind them. Jentic generates and maintains this spec so that AI agents and developers can call AWS Certificate Manager via structured tooling. It is validated against the live API and kept up to date. Get started at https://app.jentic.com/sign-up.

What authentication does the AWS Certificate Manager API use?

ACM uses AWS Signature Version 4 (SigV4) signed with an IAM access key id and secret access key, optionally with a session token for temporary credentials. Through Jentic the access key id and secret access key are stored encrypted in the vault and SigV4 signing is performed server side, so the agent never sees the raw secret access key.

Can I auto-renew imported certificates with the AWS Certificate Manager API?

No. ACM only auto-renews certificates that ACM itself issued. Imported certificates must be reissued by the original certificate authority and then ImportCertificate called again against the same ARN to update the cryptographic material while preserving the binding to existing AWS resources.

What are the rate limits for the AWS Certificate Manager API?

ACM applies per-region throttling that varies by operation: read operations like ListCertificates and DescribeCertificate are throttled at higher rates than write operations like RequestCertificate and ImportCertificate. Persistent throttling returns ThrottlingException; back off with exponential delay and retry.

How do I request a public certificate with the AWS Certificate Manager API through Jentic?

Install the SDK with pip install jentic, search Jentic for request a public ssl certificate, load the RequestCertificate operation schema, and execute it with DomainName and ValidationMethod=DNS. Jentic handles SigV4 signing for you and returns the new certificate ARN, which you can then poll with DescribeCertificate.

Can I export the private key of an ACM certificate?

Only for certificates issued by ACM Private CA, via the ExportCertificate operation, which requires a passphrase to encrypt the exported key. Public ACM-issued certificates cannot have their private keys exported by design — they can only be deployed to integrated AWS services.