DNS validation - AWS Certificate Manager

DNS validation

The Domain Name System (DNS) is a directory service for resources that are connected to a network. Your DNS provider maintains a database containing records that define your domain. When you choose DNS validation, ACM provides you with one or more CNAME records that must be added to this database. These records contain a unique key-value pair that serves as proof that you control the domain.

Note

After you create a certificate with email validation, you cannot switch to validating it with DNS.

For example, if you request a certificate for the example.com domain with www.example.com as an additional name, ACM creates two CNAME records for you. Each record, created specifically for your domain and your account, contains a name and a value. The value is an alias that points to an AWS domain that ACM uses to automatically renew your certificate. The CNAME records must be added to your DNS database only once. ACM automatically renews your certificate as long as the certificate is in use and your CNAME record remains in place.

Important

If you do not use Amazon Route 53 to manage your public DNS records, contact your DNS provider to find out how to add records. If you lack authority to edit your domain's DNS database, you must use email validation instead.

Without the need to repeat validation, you can request additional ACM certificates for your fully qualified domain name (FQDN) for as long as the CNAME record remains in place. That is, you can create replacement certificates that have the same domain name, or certificates that cover different subdomains. Since the CNAME validation token works for any AWS Region, you can re-create the same certificate in multiple Regions. You can also replace a deleted certificate.

You can stop automatic renewal either by removing the certificate from the AWS service with which it is associated or by deleting the CNAME record. If Route 53 is not your DNS provider, contact your provider to find out how to delete a record. If Route 53 is your provider, see Deleting Resource Record Sets in the Route 53 Developer Guide. For more information about managed certificate renewal, see Managed renewal for ACM certificates.

Note

CNAME resolution will fail if more than five CNAMEs are chained together in your DNS configuration. If you require a longer chaining, we recommend using email validation.

How CNAME records for ACM work

Note

This section is for customers who do not use Route 53 as their DNS provider.

If you are not using Route 53 as your DNS provider, you need to manually enter CNAME records provided by ACM into your provider's database, usually through a website. CNAME records are used for a number of purposes, including as redirect mechanisms and as containers for vendor-specific metadata. For ACM, these records allow initial domain ownership validation and ongoing automated certificate renewal.

The following table shows example CNAME records for six domain names. Each record's Record Name-Record Value pair serves to authenticate domain name ownership.

In the table, note that the first two Record Name-Record Value pairs are the same. This illustrates that for a wild-card domain, such as *.example.com, the strings created by ACM are the same as those created for its base domain, example.com. Otherwise, the paired Record Name and Record Value differ for each domain name.

Example CNAME records
Domain name Record Name Record Value Comment
*.example.com _x1.example.com. _x2.acm-validations.aws. Identical
example.com _x1.example.com. _x2.acm-validations.aws.
www.example.com _x3.www.example.com. _x4.acm-validations.aws. Unique
host.example.com _x5.host.example.com. _x6.acm-validations.aws. Unique
subdomain.example.com _x7.subdomain.example.com. _x8.acm-validations.aws. Unique
host.subdomain.example.com _x9.host.subdomain.example.com. _x10.acm-validations.aws. Unique

The xN values following the underscore ( _ ) are long strings generated by ACM. For example,

_3639ac514e785e898d2646601fa951d5.example.com.

is representative of a resulting generated Record Name. The associated Record Value might be

_98d2646601fa951d53639ac514e785e8.acm-validation.aws.

for the same DNS record.

Note

If your DNS provider does not support CNAME values with a leading underscore, see Troubleshoot DNS Validation Problems.

When you request a certificate and specify DNS validation, ACM provides CNAME information in the following format:

Domain Name Record Name Record Type Record Value
example.com _a79865eb4cd1a6ab990a45779b4e0b96.example.com. CNAME

_424c7224e9b0146f9a8808af955727d0.acm-validations.aws.

Domain Name is the FQDN associated with the certificate. Record Name identifies the record uniquely, serving as the key of the key-value pair. Record Value serves as the value of the key-value pair.

All three of these values (Domain Name, Record Name, and Record Value) must be entered into the appropriates fields of your DNS provider's web interface for adding DNS records. Providers are inconsistent in their handling of the record name (or just "name") field. In some cases, you are expected to provide the entire string as shown above. Other providers automatically append the domain name to whatever string you enter, meaning (in this example) that you should only enter

_a79865eb4cd1a6ab990a45779b4e0b96

into the name field. If you guess wrong about this, and enter a record name that contains a domain name (such as .example.com), you might end up with the following:

_a79865eb4cd1a6ab990a45779b4e0b96.example.com.example.com.

Validation will fail in this case. Consequently, you should try to determine in advance which type of input your provider expects.

Setting up DNS validation

This section describes how to configure a public certificate to use DNS validation.

To set up DNS validation in the console

Note

This procedure assumes that you have already created at least one certificate and that you are working in the AWS region where you created it. If you try to open the console and see the first-use screen instead, or you succeed in opening the console and don't see your certificate in the list, confirm that you have specified the correct region.

  1. Open the ACM console at https://console.aws.amazon.com/acm/.

  2. In the list of certificates, choose the Certificate ID of a certificate with status Pending validation that you want to configure. This opens a details page for the certificate.

  3. In the Domains section, complete one of the following two procedures:

    1. (Optional) Validate with Route 53.

      An active Create records in Route 53 button appears if the following conditions are true:

      • You use Route 53 as your DNS provider.

      • You have permission to write to the zone hosted by Route 53.

      • Your FQDN has not already been validated.

      Note

      If you are in fact using Route 53 but the Create records in Route 53 button is missing or disabled, see ACM Console does not display "Create records in Route 53" button.

      Choose the Create records in Route 53 button, then choose Create records. The Certificate status page should open with a status banner reporting Successfully created DNS records.

      Your new certificate might continue to display a status of Pending validation for up to 30 minutes.

      Tip

      You cannot programmatically request that ACM automatically create your record in Route 53. You can, however, make an AWS CLI or API call to Route 53 to create the record in the Route 53 DNS database. For more information about Route 53 record sets, see Working with Resource Record Sets.

    2. (Optional) If you are not using Route 53 as your DNS provider, you must retrieve the CNAME information and add it your DNS database. On the details page for the new certificate, you can do this in either of two ways:

      • Copy the CNAME components displayed in the Domains section. This information needs to be added manually to your DNS database.

      • Alternatively, choose Export to CSV. The information in the resulting file needs to be added manually to your DNS database.

      Important

      To avoid validation problems, review How CNAME records for ACM work before you add information to your DNS provider's database. If you do encounter problems, see Troubleshoot DNS validation problems.

If ACM is not able to validate the domain name within 72 hours from the time it generates a CNAME value for you, ACM changes the certificate status to Validation timed out. The most likely reason for this result is that you did not successfully update your DNS configuration with the value that ACM generated. To remedy this issue, you must request a new certificate after reviewing the CNAME instructions.