Renewal for domains validated by DNS - AWS Certificate Manager

Renewal for domains validated by DNS

Managed renewal is fully automated for ACM certificates that were originally issued using DNS validation.

At 60 days prior to expiration, ACM checks for the following renewal criteria:

  • The certificate is currently in use by an AWS service.

  • All required ACM-provided DNS CNAME records (one for each unique Subject Alternative Name) are present and accessible via public DNS.

If these criteria are met, ACM considers the domain names validated and renews the certificate.

ACM sends AWS Health events and Amazon EventBridge events when it cannot automatically validate a domain during renewal (for example, because of the presence of CAA record). These events are sent at 45 days, 30 days, 15 days, seven days, three days, and one day prior to expiration. For more information, see Amazon EventBridge support for ACM.