Validating domain ownership - AWS Certificate Manager

Validating domain ownership

Before the Amazon certificate authority (CA) can issue a certificate for your site, AWS Certificate Manager (ACM) must prove that you own or control all of the domain names that you specify in your request. You can choose to prove your ownership with either Domain Name System (DNS) validation or with email validation at the time you request a certificate.


Validation applies only to publicly trusted certificates issued by ACM. ACM does not validate domain ownership for imported certificates or for certificates signed by a private CA. ACM cannot validate resources in an Amazon VPC private hosted zone or any other private domain. For more information, see Troubleshooting certificate validation.

In general, we recommend using DNS validation over email validation for the following reasons:

  • If you use Amazon RouteĀ 53 to manage your public DNS records, you can update your records through ACM directly.

  • ACM automatically renews DNS-validated certificates for as long as a certificate remains in use and the DNS record is in place.

  • To be renewed, email-validated certificates require an action by the domain owner. ACM begins sending renewal notices 45 days before expiration. These notices go to the domain's WHOIS mailbox addresses and up to five common administrator addresses. The notifications contain a link that the domain owner can click for easy renewal. Once all listed domains are validated, ACM issues a renewed certificate with the same ARN.

If you lack authorization to edit your domain's DNS database, you must use email validation instead.


After you create a certificate with email validation, you cannot switch to validating it with DNS.