Renewal for domains validated by DNS - AWS Certificate Manager

Renewal for domains validated by DNS

Managed renewal is fully automated for ACM certificates that were originally issued using DNS validation.

At 60 days prior to expiration, ACM checks for the following renewal criteria:

  • The certificate is currently in use by an AWS service.

  • All required ACM-provided DNS CNAME records (one for each unique Subject Alternative Name) are present and accessible via public DNS.

If these criteria are met, ACM considers the domain names validated and renews the certificate.

If ACM cannot automatically validate a domain name from CNAME records, it notifies you that renewal has failed using the email address associated with the domain. These notifications are sent at 45 days, 30 days, 15 days, seven days, three days, and one day prior to expiration. The most common reason for automatic validation to fail is that a required CNAME has been inadvertently changed or removed.