Menu
AWS Certificate Manager
User Guide (Version 1.0)

How Domain Validation Works

Before renewing a certificate, ACM tries to automatically validate each domain name in the certificate. For more information, see How Automatic Domain Validation Works.

If ACM can't automatically validate a domain name, ACM notifies you that you need to take action to manually validate it. For more information, see How Manual Domain Validation Works.

After all domain names in a certificate are validated, ACM renews the certificate.

How Automatic Domain Validation Works

To validate a domain, ACM sends automated, periodic HTTPS requests to it. For domains that start with www., ACM also sends HTTPS requests to the parent domain. For example, if your domain is www.example.com, ACM sends email to www.example.com and to example.com. For domains that don't start with www., ACM also sends HTTPS requests to www.domain. ACM treats wildcard domain names (for example, *.example.com) the same as the parent domain. For examples, see the following table.

Note

If any HTTPS connection attempt is successful, ACM attempts to renew the certificate automatically.

Example domain names that ACM uses for automatic validation

Domain name in the certificate

Domain names that ACM use for automatic validation

example.com

example.com

www.example.com

www.example.com

www.example.com

example.com

*.example.com

example.com

www.example.com

subdomain.example.com

subdomain.example.com

www.subdomain.example.com

www.subdomain.example.com

www.subdomain.example.com

subdomain.example.com

*.subdomain.example.com

subdomain.example.com

www.subdomain.example.com

If ACM successfully establishes an HTTPS connection, ACM examines the certificate that is returned to ensure it matches the one that ACM is renewing. If the certificate matches, ACM considers the domain name validated.

How Manual Domain Validation Works

If ACM is unable to automatically validate one or more domain names in a certificate, ACM notifies you that you need to take action to manually validate the domain. A domain can require manual validation for the following reasons:

  • ACM can't establish an HTTPS connection with the domain.

  • The certificate that is returned in the response to ACM's HTTPS requests doesn't match the one that ACM is renewing.

When your certificate is 45 days from expiration and one or more domain names in the certificate requires manual validation, ACM notifies you in the following ways:

By email

ACM sends you a domain validation email for each domain name that requires manual validation. To ensure that you receive this email, configure email for your domain. The email contains information about the ACM certificate and the domain name that you need to validate. The email includes a link that you can follow to validate the domain name. This link expires after 72 hours. If necessary, you can use the AWS Certificate Manager console or the ACM API to request that ACM resend the domain validation email. For more information, see Request a Domain Validation Email for Certificate Renewal.

By notification in your AWS Personal Health Dashboard

ACM sends notifications to your AWS Personal Health Dashboard to let you know that a pending certificate renewal requires action from you. ACM sends these notifications when your certificate is 45 days, 30 days, 15 days, 7 days, 3 days, and 1 day from expiration and one or more domain names in the certificate requires manual validation. These notifications are only informational; to manually validate a domain name, you must follow the link in the domain validation email.