Exam AWS Certified Solutions Architect - Associate SAA-C03 topic 1 question 62 discussion

It's a third-party certificate, hence AWS cannot manage renewal automatically. The closest thing you can do is to send a notification to renew the 3rd party certificate.

It is D, because ACM does not manage the renewal process for imported certificates. You are responsible for monitoring the expiration date of your imported certificates and for renewing them before they expire. Check this question on the link below: Q: What types of certificates can I create and manage with ACM? https://www.amazonaws.cn/en/certificate-manager/faqs/#Managed_renewal_and_deployment

D is the most appropriate. C seems like it might work, but the word "Private"makes it ineligible answer. Although I would say is to have ACM renew the public cetificate automatically per the renewal method supported: https://www.amazonaws.cn/en/certificate-manager/faqs/#Managed_renewal_and_deployment Thanks @mabotega for the link to the doc.

Since the certificate is external it needs to be imported and thus D is the most suitable option.

It's D, because ACM doesn't manage the renewal process for imported certificates.

Ans. D Keyword: issued by an external certificate authority ACM cannot rotate certificate automatically if from external CA.

Ans D - hint: we're importing the certificate "...Use AWS Certificate Manager (ACM) to import an SSL/TLS certificate"

Yes it’s D. Here is a clear explanation. Imported certificates – If you want to use a third-party certificate with Amazon CloudFront, Elastic Load Balancing, or Amazon API Gateway, you may import it into ACM using the AWS Management Console, AWS CLI, or ACM APIs. ACM can not renew imported certificates, but it can help you manage the renewal process. You are responsible for monitoring the expiration date of your imported certificates and for renewing them before they expire. You can use ACM CloudWatch metrics to monitor the expiration dates of an imported certificates and import a new third-party certificate to replace an expiring one. https://www.amazonaws.cn/en/certificate-manager/faqs/#Managed_renewal_and_deployment

"certificate that is issued by an external certificate authority (CA)" AB will create a new certificate in AWS C will also create a new certificate but this is not what PCA are for *=(https://docs.aws.amazon.com/privateca/latest/userguide/PcaWelcome.html) D: Import the certificate is correct answer

D - "External CA" --> 'Update Manually'

internal CA are typically trusted only within the organization unless you manually distribute and trust the root certificate elsewhere external CA: Certificates from a well-known external CA are trusted by most browsers and systems by default https://docs.aws.amazon.com/acm/latest/userguide/acm-certificate.html "Public certificates that you request through ACM are obtained from Amazon Trust Services, an Amazon managed public certificate authority (CA). ... Any browser, application, or OS that includes the Amazon or Starfield roots will trust public certificates obtained from ACM." The answer is A, different story if they said external certificate

: What types of certificates can I create and manage with ACM? https://www.amazonaws.cn/en/certificate-manager/faqs/#Managed_renewal_and_deployment

answer is D

The key points are: Obtain certificate from external CA, not ACM Import the external certificate into ACM Apply imported certificate to the ALB Set up EventBridge rule to trigger notification on certificate expiration Manually renew and rotate the external certificate each year.

Option D is the right answer.

D: With this approach, you import the third-party certificate into ACM, which allows you to centrally manage and apply it to the ALB. By configuring CloudWatch Events, you can receive notifications when the certificate is close to expiring, prompting you to manually initiate the rotation process. A & B: These options assume that the SSL/TLS certificate can be issued directly by ACM. However, since the requirement specifies that the certificate should be issued by an external certificate authority (CA), this option is not suitable. C: ACM Private Certificate Authority is used when you want to create your own private CA and issue certificates from it. It does not support certificates issued by external CAs. Therefore, this option is not suitable for the given requirement.

D is correct, since it's an external certificate