Comparison
AWS Certificate Manager is deeply integrated with AWS services. CertLocker is for teams that also need host-level delivery, hybrid infrastructure, endpoint verification, secrets, SSH access, and audit outside AWS-managed TLS.
| Feature | CertLocker | AWS ACM |
|---|---|---|
| Works on AWS | ✓ | ✓ |
| Works on GCP / Azure | ✓ | ✗ |
| Works on-premises | ✓ | ✗ |
| Works on bare metal | ✓ | ✗ |
| EC2 instance cert delivery | ✓ (private key access) | ✗ (ACM hides private keys) |
| HAProxy / Nginx / OpenVPN support | ✓ Native | ✗ |
| MT4/MT5 support | ✓ | ✗ |
| Internal CA support | ✓ | ✓ (ACM PCA, extra cost) |
| SSH access management | ✓ | ✗ |
| Audit trail | ✓ | ✓ (via CloudTrail) |
| Certificate-scoped access keys | ✓ | ✗ |
| Cost | TBD | ✓ Free for public certs; PCA is ~$400/mo |
ACM's security model intentionally hides private keys from you — which is fine for load balancers it manages directly (ALB, NLB, CloudFront), but breaks down the moment you need a cert on anything else.
If you need TLS on an EC2 instance running Nginx directly (not behind a load balancer), ACM can't help you. Same for on-premise servers, VMs in other clouds, or any service that needs to hold its own private key.
CertLocker delivers certificate material to approved targets with scoped tokens so only the right machine can access it. That model fits infrastructure that lives outside AWS-managed services, and it keeps the delivery and access trail in one place.
Use ACM where it fits, then use CertLocker for the hosts, services, secrets, probes, and access workflows AWS does not cover.