Validate Domain Ownership
The information on this page applies only to certificates provided by ACM. ACM does not validate domain ownership for certificates that you import into ACM.
Before the Amazon certificate authority (CA) can issue a certificate for your site, AWS Certificate Manager (ACM) must verify that you own or control the domain for which the ACM Certificate will be issued. ACM does this by sending a domain validation email to an address that is registered to the domain. For more information, see Configure Email for Your Domain. Email is sent to the following three registered contact addresses in WHOIS:
Some registrars allow you to hide your contact information in your WHOIS listing, and others allow you to substitute your real email address with a privacy (or proxy) address. To prevent problems with receiving the domain validation email from ACM, ensure your contact information is visible in WHOIS. If your WHOIS listing shows a privacy email address, ensure that email sent to the privacy address is forwarded to your real email address, or list your real email address instead.
Email is also sent to the following five common system administration addresses where
your_domain is the domain name that you entered when you initially
requested the certificate.
There is an exception to the process described above. If you request an ACM Certificate
for a domain name that begins with
www or a wildcard asterisk
*), ACM removes the leading
www or asterisk
and sends email to the administrative addresses formed by pre-pending admin@, administrator@,
hostmaster@, postmaster@, and webmaster@ to the remaining portion of the domain name. For
example, if you request an ACM Certificate for www.example.com, email is sent to
firstname.lastname@example.org rather than to email@example.com. Likewise, if you request an ACM
Certificate for *.test.example.com, email is sent to firstname.lastname@example.org. The remaining
common administrative addresses are similarly formed.
To ensure that email is sent to the administrative addresses for an apex domain, such as
example.com, rather than to the administrative addresses for a subdomain, such as
test.example.com, specify the
ValidationDomain option in the RequestCertificate API or the request-certificate AWS CLI command.
This feature is not currently supported in the console.
The following validation email is sent.
Choose the link that sends you to the Amazon Certificate Approvals website and then choose I Approve.
After choosing I Approve, a website opens to indicate that your request was successful.
You can navigate back to the ACM console by clicking a link on the success page. The Status column in the console indicates that the ACM Certificate has been Issued.