AWS Certificate Manager | DNS Validation

Question 1

Does ACM support any other methods for validating a domain?

DNS Validation

AWS Certificate Manager | Security, Identity & Compliance

Answer 1

Not at this time.

Question 2

What is DNS validation?

DNS Validation

AWS Certificate Manager | Security, Identity & Compliance

Answer 2

With DNS validation, you can validate your ownership of a domain by adding a CNAME record to your DNS configuration. DNS Validation makes it easy for you to establish that you own a domain when requesting SSL/TLS certificates from ACM.

Question 3

What are the benefits of DNS validation?

DNS Validation

AWS Certificate Manager | Security, Identity & Compliance

Answer 3

DNS validation makes it easy to validate that you own or control a domain so that you can obtain an SSL/TLS certificate. With DNS validation, you simply write a CNAME record to your DNS configuration to establish control of your domain name. To simplify the DNS validation process, the ACM management console can configure DNS records for you if you manage your DNS records with Amazon Route 53. This makes it easy to establish control of your domain name with a few mouse clicks. Once the CNAME record is configured, ACM automatically renews certificates that are in use (associated with other AWS resources) as long as the DNS validation record remains in place. Renewals are fully automatic and touchless.

Question 4

Who should use DNS validation?

DNS Validation

AWS Certificate Manager | Security, Identity & Compliance

Answer 4

Anyone who requests a certificate through ACM and has the ability to change the DNS configuration for the domain they are requesting should consider using DNS validation.

Question 5

Does ACM still support email validation?

DNS Validation

AWS Certificate Manager | Security, Identity & Compliance

Answer 5

Yes. ACM continues to support email validation for customers who can’t change their DNS configuration.

Question 6

What records do I need to add to my DNS configuration to validate a domain?

DNS Validation

AWS Certificate Manager | Security, Identity & Compliance

Answer 6

You must add a CNAME record for the domain you want to validate. For example, to validate the name www.example.com, you add a CNAME record to the zone for example.com. The record you add contains a random token that ACM generates specifically for your domain and your AWS account. You can obtain the two parts of the CNAME record (name and label) from ACM. For further instructions, refer to the ACM User Guide.

Question 7

How can I add or modify DNS records for my domain?

DNS Validation

AWS Certificate Manager | Security, Identity & Compliance

Answer 7

For more information about how to add or modify DNS records, check with your DNS provider. The Amazon Route 53 DNS documentation provides further information for customers who use Amazon Route 53 DNS.

Question 8

Can ACM simplify DNS validation for Amazon Route 53 DNS customers?

DNS Validation

AWS Certificate Manager | Security, Identity & Compliance

Answer 8

Yes. For customers who are using Amazon Route 53 DNS to manage DNS records, the ACM console can add records to your DNS configuration for you when you request a certificate. Your Route 53 DNS hosted zone for your domain must be configured in the same AWS account as the one you are making the request from, and you must have sufficient permissions to make a change to your Amazon Route 53 configuration. For further instructions, refer to the ACM User Guide.

Question 9

Does DNS Validation require me to use a specific DNS provider?

DNS Validation

AWS Certificate Manager | Security, Identity & Compliance

Answer 9

No. You can use DNS validation with any DNS provider as long as the provider allows you to add a CNAME record to your DNS configuration.

Question 10

How many DNS records do I need if I want more than one certificate for the same domain?

DNS Validation

AWS Certificate Manager | Security, Identity & Compliance

Answer 10

One. You can obtain multiple certificates for the same domain name in the same AWS account using one CNAME record. For example, if you make 2 certificate requests from the same AWS account for the same domain name, you need only 1 DNS CNAME record.

Question 11

Can I validate multiple domain names with the same CNAME record?

DNS Validation

AWS Certificate Manager | Security, Identity & Compliance

Answer 11

No. Each domain name must have a unique CNAME record.

Question 12

Can I validate a wildcard domain name using DNS validation?

DNS Validation

AWS Certificate Manager | Security, Identity & Compliance

Answer 12

Yes.

Question 13

How does ACM construct CNAME records?

DNS Validation

AWS Certificate Manager | Security, Identity & Compliance

Answer 13

DNS CNAME records have two components: a name and a label. The name component of an ACM-generated CNAME is constructed from an underscore character (_) followed by a token, which is a unique string that is tied to your AWS account and your domain name. ACM prepends the underscore and token to your domain name to construct the name component. ACM constructs the label from an underscore character prepended to a different token which is also tied to your AWS account and your domain name. ACM prepends the underscore and token to a DNS domain name used by AWS for validations: acm-validations.aws. The following examples show the formatting of CNAMEs for www.example.com, subdomain.example.com, and *.example.com.

_TOKEN1.www.example.com CNAME _TOKEN2.acm-validations.aws

_TOKEN3.subdomain.example.com CNAME _TOKEN4.acm-validations.aws

_TOKEN5.example.com CNAME _TOKEN6.acm-validations.aws

Notice that ACM removes the wildcard label (*) when generating CNAME records for wildcard names. As a result, the CNAME record generated by ACM for a wildcard name (such as *.example.com) is the same record returned for the domain name without the wildcard label (example.com).

Question 14

Can I validate all subdomains of a domain using one CNAME record?

DNS Validation

AWS Certificate Manager | Security, Identity & Compliance

Answer 14

No. Each domain name, including host names and subdomain names, must be validated separately, each with a unique CNAME record.

Question 15

Why does ACM use CNAME records for DNS validation instead of TXT records?

DNS Validation

AWS Certificate Manager | Security, Identity & Compliance

Answer 15

Using a CNAME record allows ACM to renew certificates for as long as the CNAME record exists. The CNAME record directs to a TXT record in an AWS domain (acm-validations.aws) that ACM can update as needed to validate or re-validate a domain name, without any action from you.

Question 16

Does DNS validation work across AWS Regions?

DNS Validation

AWS Certificate Manager | Security, Identity & Compliance

Answer 16

Yes. You can create one DNS CNAME record and use it to obtain certificates in the same AWS account in any AWS Region where ACM is offered. Configure the CNAME record once and you can get certificates issued and renewed from ACM for that name without creating another record.

Question 17

Can I choose different validation methods in the same certificate?

DNS Validation

AWS Certificate Manager | Security, Identity & Compliance

Answer 17

No. Each certificate can have only one validation method.

Question 18

How do I renew a certificate validated with DNS validation?

DNS Validation

AWS Certificate Manager | Security, Identity & Compliance

Answer 18

ACM automatically renews certificates that are in use (associated with other AWS resources) as long as the DNS validation record remains in place.

Question 19

Can I revoke permission to issue certificates for my domain?

DNS Validation

AWS Certificate Manager | Security, Identity & Compliance

Answer 19

Yes. Simply remove the CNAME record. ACM does not issue or renew certificates for your domain using DNS validation after you remove the CNAME record and the change is distributed through DNS. The propagation time to remove the record depends on your DNS provider.