AWS Certificate Manager
User Guide (Version 1.0)

Use DNS to Validate Domain Ownership

Before the Amazon certificate authority (CA) can issue a certificate for your site, AWS Certificate Manager (ACM) must verify that you own or control all of the domain names that you specified in your request. You can choose either email validation or DNS validation when you request a certificate. This topic discusses DNS validation. For information about email validation, see Use Email to Validate Domain Ownership.


Validation applies only to certificates provided by AWS Certificate Manager (ACM). ACM does not validate domain ownership for imported certificates.

The Domain Name System (DNS) is a directory service for resources connected to a network. On the internet, DNS servers are used primarily to translate from domain names to the numerical IP addresses that identify and locate resources such as computers and other devices. The databases on DNS servers contain domain records that are used for this translation and to enable other functionality. For example, A records are a type of DNS record used to map domain names to IPV4 addresses. MX records are used to route email. NS records list all of the name servers for the domain.

ACM uses CNAME (Canonical Name) records to validate that you own or control a domain. When you choose DNS validation, ACM provides you one or more CNAME records to insert into your DNS database. For example, if you request a certificate for the domain with as an additional name, ACM creates two CNAME records for you. Each record, created specifically for your domain and your account, contains a name and a value. The value is an alias that points to a domain that ACM owns and which ACM uses to automatically renew your certificate. You add the CNAME records to your DNS database only once. ACM automatically renews your certificate as long as the certificate is in use and your CNAME record remains in place. In addition, if you use Amazon Route 53 to create your domain, ACM can write the CNAME records for you.

The following table shows example CNAME records for five domain names. The _x values are long random strings generated by ACM. For example is representative of a generated name. Note that the first two _x values in the table are the same. That is, the random string created by ACM for the wildcard name * is the same as that created for the base domain name Note also that ACM creates different CNAME records for and

If you see an expand arrow () in the upper-right corner of the table, you can open the table in a new window. To close the window, choose the close button (X) in the lower-right corner.

Domain name DNS zone Name Type Value

DNS validation has a number of advantages over email validation:

  • DNS requires that you create only one CNAME record per domain name when you request an ACM Certificate. Email validation sends up to eight email messages per domain name.

  • You can request additional ACM Certificates for your FQDN for as long as the DNS record remains in place. That is, you can create multiple certificates that have the same domain name. You do not need to get a new CNAME record. There are many reasons to do this. You might, for example, want new certificates that cover different subdomains. You might want to create the same certificate in multiple regions (the validation token works for any region). You might want to replace a certificate that you deleted.

  • ACM automatically renews ACM Certificates that you validated by using DNS. ACM renews each certificate before it expires as long as the certificate is in use and the DNS record is in place.

  • ACM can add the CNAME record for you if you use Route 53 to manage your public DNS records.

  • You can more easily automate the DNS validation process than you can the email validation process.

Note however that you may be required to use email validation if you do not have permission to modify the DNS records for your domain.

To use DNS validation:

  1. Sign into the AWS Management Console and open the ACM console at If the introductory page appears, choose Get Started. Otherwise, choose Request a certificate.

  2. On the Request a certificate page, type your domain name. For more information about typing domain names, see Request a Public Certificate.

  3. To add more domain names to the ACM Certificate, type other names as text boxes open beneath the name you just typed.

  4. Choose Next.

  5. Choose DNS validation.

  6. Choose Review and request. Verify that the domain name and validation method are correct.

  7. Choose Confirm and request.

  8. On the Validation page, expand your domain information or choose Export DNS configuration to a file. If you expand your domain information, ACM displays the name and value of the CNAME record you must add to your DNS database to validate that you control the domain.

					Console shows the CNAME for DNS validation.
  9. The Create record in Route 53 button appears if the following conditions are true:

    • You use Route 53 as your DNS provider.

    • You are hosting the domain in Route 53.

    • You have permission to write to the Route 53, hosted zone.

    • Your FQDN has not already been validated.

    If your FQDN has already been validated or if you don't have permission to write to the Route 53 hosted zone for the domain name you are requesting, the Create record in Route 53 button will appear disabled. For more information about Route 53 record sets, see Working with Resource Record Sets.


    Currently, you cannot programmatically request that ACM automatically create your record in Route 53. You can, however, make a AWS CLI or API call to Route 53 to create the record.

  10. Add the record from the console or the exported file to your database. For more information about adding DNS records, see Adding a CNAME to Your Database. You can choose Continue to skip this step. You can return to it later by opening the certificate request in the console.


    If your FQDN was validated when you requested a previous certificate and you are requesting another certificate for the same FQDN, you do not need to add another DNS record.


    Adding a CNAME record that contains a domain name (such as might result in duplication of the domain name (such as To avoid duplication, you can manually copy only the part of the CNAME that you need. This would be of the form _3639ac514e785e898d2646601fa951d5.

  11. After updating your DNS configuration, choose Continue. ACM displays a table view that includes all of your certificates. The certificate you requested and its status is displayed. After your DNS provider propagates your record update, it can take up to several hours for ACM to validate the domain name and issue the certificate. During this time, ACM shows the validation status as Pending validation. After validating the domain name, ACM changes the validation status to Success. After AWS issues the certificate, ACM changes the certificate status to Issued.


    If ACM is not able to validate the domain name within 72 hours from the time it generates a CNAME value for you, ACM changes the certificate status to Validation timed out. The most likely reason for this result is that you did not update your DNS configuration with the value that ACM generated. To remedy this issue, you must request a new certificate.

					Console shows the CNAME for DNS validation.

Adding a CNAME to Your Database

To use DNS validation, you must be able to add a CNAME record to the DNS configuration for your domain. If Route 53 is not your DNS provider, contact your provider to find out how to add records. If Route 53 is your provider, ACM can create the CNAME record for you as discussed previously in step 9. If you want to add the record yourself, see Editing Resource Record Sets in the Route 53 Developer Guide.


If you do not have permission to edit your DNS configuration, you must use email validation.

Deleting a CNAME from Your Database

ACM automatically renews your certificate for as long as the certificate is in use and the CNAME record that ACM created for you remains in place in your DNS database. You can stop automatic renewal by removing the certificate from the AWS service with which it is associated or by deleting the CNAME record. If Route 53 is not your DNS provider, contact your provider to find out how to delete the record. If Route 53 is your provider, see Deleting Resource Record Sets in the Route 53 Developer Guide. For more information about managed certificate renewal, see Managed Renewal for ACM's Amazon-Issued Certificates.