DNS validation - AWS Certificate Manager

DNS validation

The Domain Name System (DNS) is a directory service for resources that are connected to a network. Your DNS provider maintains a database containing records that define your domain. When you choose DNS validation, ACM provides you with one or more CNAME records that must be added to this database. These records contain a unique key-value pair that serves as proof that you control the domain.

For example, if you request a certificate for the example.com domain with www.example.com as an additional name, ACM creates two CNAME records for you. Each record, created specifically for your domain and your account, contains a name and a value. The value is an alias that points to an AWS domain that ACM uses to automatically renew your certificate. The CNAME records must be added to your DNS database only once. ACM automatically renews your certificate as long as the certificate is in use and your CNAME record remains in place.

Important

If you do not use Amazon Route 53 to manage your public DNS records, contact your DNS provider to find out how to add records. If you lack authority to edit your domain's DNS database, you must use email validation instead.

Without the need to repeat validation, you can request additional ACM certificates for your fully qualified domain name (FQDN) for as long as the CNAME record remains in place. That is, you can create replacement certificates that have the same domain name, or certificates that cover different subdomains. Since the CNAME validation token works for any AWS Region, you can re-create the same certificate in multiple Regions. You can also replace a deleted certificate.

You can stop automatic renewal either by removing the certificate from the AWS service with which it is associated or by deleting the CNAME record. If Route 53 is not your DNS provider, contact your provider to find out how to delete a record. If Route 53 is your provider, see Deleting Resource Record Sets in the Route 53 Developer Guide. For more information about managed certificate renewal, see Managed renewal for ACM certificates.

Note

CNAME resolution will fail if more than five CNAMEs are chained together in your DNS configuration. If you require a longer chaining, we recommend using email validation.

How CNAME records for ACM work

Note

This section is for customers who do not use Route 53 as their DNS provider.

If you are not using Route 53 as your DNS provider, you need to manually enter CNAME records provided by ACM into your provider's database, usually through a website. CNAME records are used for a number of purposes, including as redirect mechanisms and as containers for vendor-specific metadata. For ACM, these records allow initial domain ownership validation and ongoing automated certificate renewal.

The following table shows example CNAME records for six domain names. Each record's Record Name-Record Value pair serves to authenticate domain name ownership.

In the table, note that the first two Record Name-Record Value pairs are the same. This illustrates that for a wild-card domain, such as *.example.com, the random strings created by ACM are the same as those created for its base domain, example.com. Otherwise, the paired Record Name and Record Value differ for each domain name.

Example CNAME records
Domain name Record Name Record Value Comment
*.example.com _x1.example.com. _x2.acm-validations.aws. Identical
example.com _x1.example.com. _x2.acm-validations.aws.
www.example.com _x3.www.example.com. _x4.acm-validations.aws. Unique
host.example.com _x5.host.example.com. _x6.acm-validations.aws. Unique
subdomain.example.com _x7.subdomain.example.com. _x8.acm-validations.aws. Unique
host.subdomain.example.com _x9.host.subdomain.example.com. _x10.acm-validations.aws. Unique

The x values following the underscore ( _ ) are long random strings generated by ACM. For example,

_3639ac514e785e898d2646601fa951d5.example.com

is representative of a resulting generated Record Name. The associated Record Value might be

_98d2646601fa951d53639ac514e785e8.acm-validation.aws.

for the same record.

Note

If your DNS provider does not support CNAME values with a leading underscore, see Troubleshoot DNS Validation Problems.

When you request a certificate and specify DNS validation, ACM provides CNAME information in the following format:

Domain Name Record Name Record Type Record Value
example.com _a79865eb4cd1a6ab990a45779b4e0b96.example.com. CNAME

_424c7224e9b0146f9a8808af955727d0.hkmpvcwbzw.acm-validations.aws.

Domain Name is the FQDN associated with the certificate. Record Name identifies the record uniquely, serving as the key of the key-value pair. Record Value serves as the value of the key-value pair.

All three of these values must be entered into the appropriates fields of your DNS provider's web interface for adding DNS records. Providers are inconsistent in their handling of the record name (or just "name") field. In some cases, you are expected to provide the entire string as shown above. Other providers automatically append the domain name to whatever string you enter, meaning (in this example) that you should only enter

_a79865eb4cd1a6ab990a45779b4e0b96

into the name field. If you guess wrong about this, and enter a record name that contains a domain name (such as .example.com), you might end up with a following:

_a79865eb4cd1a6ab990a45779b4e0b96.example.com.example.com

Validation will fail in this case. Consequently, you should try to determine in advance which type of input your provider expects.

Setting up DNS validation

To set up DNS validation on the console

  1. Sign in to the AWS Management Console and open the ACM console at https://console.aws.amazon.com/acm/home. If the introductory page appears, choose Get Started. Otherwise, choose Request a certificate.

  2. On the Request a certificate page, type your domain name. For more information about typing domain names, see Requesting a public certificate.

  3. To add more domain names to the ACM certificate, type other names as text boxes open beneath the name you just typed.

  4. Choose Next.

  5. Choose DNS validation and Next.

  6. On the Add tags page, you can optionally tag your certificate with metadata. Choose Review when done.

  7. On the Review page, verify that domain name and validation method are correct and choose Confirm and request.

  8. On the Validation page, complete one of the following two procedures:

    1. (Optional) Validate with Route 53.

      On the Validation page, click the down-arrow next to your domain name. An active Create record in Route 53 button appears if the following conditions are true:

      • You use Route 53 as your DNS provider.

      • You have permission to write to the zone hosted by Route 53.

      • Your FQDN has not already been validated.

      Note

      If you are in fact using Route 53 but the Create record in Route 53 button is missing or disabled, see ACM Console does not display "Create record in Route 53" button.

      Choose the Create record in Route 53 button, then choose Create. The Validation page now should display a status notification of Success at the bottom.

      Choose Continue to view the Certificates list page, where your new certificate might still display a status of Pending validation for up to 30 minutes.

      Tip

      You cannot programmatically request that ACM automatically create your record in Route 53. You can, however, make an AWS CLI or API call to Route 53 to create the record in the Route 53 DNS database. For more information about Route 53 record sets, see Working with Resource Record Sets.

    2. (Optional) If you are not using Route 53 as your DNS provider, you must retrieve the CNAME information from the Validation page and add it your DNS database. You can do this in either of two ways:

      • In the Domain section, expand your domain information and record the CNAME components. This information needs to be added manually to your DNS database.

      • Alternatively, choose Export DNS configuration to a file at the bottom of the Validation page. The information in the file needs to be added manually to your DNS database.

      Important

      To avoid validation problems, review How CNAME records for ACM work before you add information to your DNS provider's database. If you do encounter problems, see Troubleshoot DNS validation problems.

      After adding the CNAME on your DNS provider's configuration page, return to the ACM console, if it is still open, and choose Continue. If you have already closed the console, you can return to it later to check the status of your certificate request.

      The Certificates page displays a table view that includes all of your certificates. After your DNS provider propagates your record update, it can take several hours for ACM to validate the domain name and issue the certificate. During this time, ACM shows the validation status as Pending validation. After validating the domain name, ACM changes the validation status to Success. After AWS issues the certificate, ACM changes the certificate status to Issued.

    Note

    If ACM is not able to validate the domain name within 72 hours from the time it generates a CNAME value for you, ACM changes the certificate status to Validation timed out. The most likely reason for this result is that you did not successfully update your DNS configuration with the value that ACM generated. To remedy this issue, you must request a new certificate after reviewing the CNAME instructions.