AWS Certificate Manager DNS validation (original) (raw)

The Domain Name System (DNS) is a directory service for resources that are connected to a network. Your DNS provider maintains a database containing records that define your domain. When you choose DNS validation, ACM provides you with one or more CNAME records that must be added to this database. These records contain a unique key-value pair that serves as proof that you control the domain.

Note

After you create a certificate with email validation, you cannot switch to validating it with DNS. To use DNS validation, delete the certificate and then create a new one that uses DNS validation.

For example, if you request a certificate for the example.com domain with www.example.com as an additional name, ACM creates two CNAME records for you. Each record, created specifically for your domain and your account, contains a name and a value. The value is an alias that points to an AWS domain that ACM uses to automatically renew your certificate. The CNAME records must be added to your DNS database only once. ACM automatically renews your certificate as long as the certificate is in use and your CNAME record remains in place.

Important

If you do not use Amazon Route 53 to manage your public DNS records, contact your DNS provider to find out how to add records. If you lack authority to edit your domain's DNS database, you must use email validation instead.

Without the need to repeat validation, you can request additional ACM certificates for your fully qualified domain name (FQDN) for as long as the CNAME record remains in place. That is, you can create replacement certificates that have the same domain name, or certificates that cover different subdomains. Since the CNAME validation token works for any AWS Region, you can re-create the same certificate in multiple Regions. You can also replace a deleted certificate.

You can stop automatic renewal either by removing the certificate from the AWS service with which it is associated or by deleting the CNAME record. If Route 53 is not your DNS provider, contact your provider to find out how to delete a record. If Route 53 is your provider, see Deleting Resource Record Sets in the Route 53 Developer Guide. For more information about managed certificate renewal, see Managed certificate renewal in AWS Certificate Manager.

Note

CNAME resolution will fail if more than five CNAMEs are chained together in your DNS configuration. If you require a longer chaining, we recommend using email validation.

How CNAME records for ACM work

Note

This section is for customers who do not use Route 53 as their DNS provider.

If you are not using Route 53 as your DNS provider, you need to manually enter CNAME records provided by ACM into your provider's database, usually through a website. CNAME records are used for a number of purposes, including as redirect mechanisms and as containers for vendor-specific metadata. For ACM, these records allow initial domain ownership validation and ongoing automated certificate renewal.

The following table shows example CNAME records for six domain names. Each record's Record Name-Record Value pair serves to authenticate domain name ownership.

In the table, note that the first two Record Name-Record Value pairs are the same. This illustrates that for a wild-card domain, such as*.example.com, the strings created by ACM are the same as those created for its base domain, example.com. Otherwise, the paired Record Name and Record Value differ for each domain name.

Example CNAME records

The xN values following the underscore ( _ ) are long strings generated by ACM. For example,

_3639ac514e785e898d2646601fa951d5.example.com.

is representative of a resulting generated Record Name. The associated Record Value might be

_98d2646601fa951d53639ac514e785e8.acm-validation.aws.

for the same DNS record.

When you request a certificate and specify DNS validation, ACM provides CNAME information in the following format:

Domain Name is the FQDN associated with the certificate. Record Name identifies the record uniquely, serving as the key of the key-value pair. Record Value serves as the value of the key-value pair.

All three of these values (Domain Name,Record Name, and Record Value) must be entered into the appropriates fields of your DNS provider's web interface for adding DNS records. Providers are inconsistent in their handling of the record name (or just "name") field. In some cases, you are expected to provide the entire string as shown above. Other providers automatically append the domain name to whatever string you enter, meaning (in this example) that you should only enter

_a79865eb4cd1a6ab990a45779b4e0b96

into the name field. If you guess wrong about this, and enter a record name that contains a domain name (such as_.example.com_), you might end up with the following:

_a79865eb4cd1a6ab990a45779b4e0b96.example.com.example.com.

Validation will fail in this case. Consequently, you should try to determine in advance which type of input your provider expects.

Setting up DNS validation

This section describes how to configure a public certificate to use DNS validation.

To set up DNS validation in the console

Note

This procedure assumes that you have already created at least one certificate and that you are working in the AWS Region where you created it. If you try to open the console and see the first-use screen instead, or you succeed in opening the console and don't see your certificate in the list, confirm that you have specified the correct Region.

1. Open the ACM console at https://console.aws.amazon.com/acm/.
2. In the list of certificates, choose the Certificate ID of a certificate with status Pending validation that you want to configure. This opens a details page for the certificate.
3. In the Domains section, complete one of the following two procedures:
   1. (Optional) Validate with Route 53.
      An active Create records in Route 53 button appears if the following conditions are true:
      • You use Route 53 as your DNS provider.
      • You have permission to write to the zone hosted by Route 53.
      • Your FQDN has not already been validated.
        Choose the Create records in Route 53 button, then choose Create records. TheCertificate status page should open with a status banner reporting Successfully created DNS records.
        Your new certificate might continue to display a status ofPending validation for up to 30 minutes.

   Tip

   You cannot programmatically request that ACM automatically create your record in Route 53. You can, however, make an AWS CLI or API call to Route 53 to create the record in the Route 53 DNS database. For more information about Route 53 record sets, see Working with Resource Record Sets.
   2. (Optional) If you are not using Route 53 as your DNS provider, you must retrieve the CNAME information and add it your DNS database. On the details page for the new certificate, you can do this in either of two ways:
   * Copy the CNAME components displayed in theDomains section. This information needs to be added manually to your DNS database.
   * Alternatively, choose Export to CSV. The information in the resulting file needs to be added manually to your DNS database.

If ACM is not able to validate the domain name within 72 hours from the time it generates a CNAME value for you, ACM changes the certificate status to Validation timed out. The most likely reason for this result is that you did not successfully update your DNS configuration with the value that ACM generated. To remedy this issue, you must request a new certificate after reviewing the CNAME instructions.