Menu
AWS Certificate Manager
User Guide (Version 1.0)

Validate Domain Ownership

Note

The information on this page applies only to certificates provided by ACM. ACM does not validate domain ownership for certificates that you import into ACM.

You can specify one domain name and multiple alternative names, up to your permitted limit, in your certificate request. For more information about limits, see Limits. Before the Amazon certificate authority (CA) can issue a certificate for your site, AWS Certificate Manager (ACM) must verify that you own or control all of the domains that you specified in the request. ACM does this by sending domain validation email to addresses that are registered to the domains. For each domain name that you include in your certificate request, email is sent to 3 contact addresses in WHOIS and 5 common system addresses for your domain. That is, up to 8 emails will be sent for every domain name you specify in your request. For example, if you specify only 1 domain name, you will receive up to 8 emails. To validate, you must act on 1 of those 8 mails within 72 hours. If you specify 3 domain names, you will receive up to 24 emails. To validate, you must act on 3 of the emails, 1 for each name you specified, within 72 hours.

Email is sent to the following three registered contact addresses in WHOIS:

  • Domain registrant

  • Technical contact

  • Administrative contact

Note

Some registrars allow you to hide your contact information in your WHOIS listing, and others allow you to substitute your real email address with a privacy (or proxy) address. To prevent problems with receiving the domain validation email from ACM, ensure your contact information is visible in WHOIS. If your WHOIS listing shows a privacy email address, ensure that email sent to the privacy address is forwarded to your real email address, or list your real email address instead.

Email is also sent to the following five common system administration addresses where your_domain is a domain name that you entered when you initially requested the certificate.

  • administrator@your_domain

  • hostmaster@your_domain

  • postmaster@your_domain

  • webmaster@your_domain

  • admin@your_domain

For more information about how ACM determines the email addresses for your domains, see Configure Email for Your Domain.

The console shows where the validation emails have been sent for the first domain name you specify in your request. The email is sent from no-reply@certificates.amazon.com.


      Console showing where validation emails were sent.

Note

There is an exception to the process described above. If you request an ACM Certificate for a domain name that begins with www or a wildcard asterisk (*), ACM removes the leading www or asterisk and sends email to the administrative addresses formed by pre-pending admin@, administrator@, hostmaster@, postmaster@, and webmaster@ to the remaining portion of the domain name. For example, if you request an ACM Certificate for www.example.com, email is sent to admin@example.com rather than to admin@www.example.com. Likewise, if you request an ACM Certificate for *.test.example.com, email is sent to admin@test.example.com. The remaining common administrative addresses are similarly formed.

Note

To ensure that email is sent to the administrative addresses for an apex domain, such as example.com, rather than to the administrative addresses for a subdomain, such as test.example.com, specify the ValidationDomain option in the RequestCertificate API or the request-certificate AWS CLI command. This feature is not currently supported in the console.

The following example shows the validation email that is sent for every domain name that you specify in your certificate request.


      Validation letter with included validation number.

Choose the link that sends you to the Amazon Certificate Approvals website and then choose I Approve.


      Approve your request for an ACM Certificate.

After choosing I Approve, a website opens to indicate that your request was successful.


      Success website.

You can navigate back to the ACM console by clicking a link on the success page. The Status column in the console indicates that the ACM Certificate has been Issued.


      ACM shows that your request was successful.