ACM public certificates are supported for AWS services such as ELB, Amazon CloudFront, AWS Elastic Beanstalk, Amazon API Gateway, and AWS CloudFormation. AWS does not allow us to use the ACM public certificates to enable SSL/TLS on our EC2 instances. ACM private CA issued certificates can, however, be used with EC2 instances, containers, and even our own servers.

AWS does not charge us for the public TLS certificates that are provisioned through ACM. We only need to pay for the AWS resources we create to run our application. However, creating an ACM private certificate authority (CA) is not free. For a private CA, we are charged a monthly fee, as well as for the private certificates we issue. We are not charged once we delete a private CA; however, if we restore a private CA, we will be charged for the time when it was deleted.