AWS Certificate Manager | Email Validation Flashcards
What happens if I remove the CNAME record?
Email Validation
AWS Certificate Manager | Security, Identity & Compliance
ACM cannot issue or renew certificates for your domain using DNS validation if you remove the CNAME record.
What is email validation?
Email Validation
AWS Certificate Manager | Security, Identity & Compliance
With email validation, an approval request email is sent to the registered domain owner for each domain name in the certificate request. The domain owner or an authorized representative (approver) can approve the certificate request by following the instructions in the email. The instructions direct the approver to navigate to the approval website and click the link in the email or paste the link from the email into a browser to navigate to the approval web site. The approver confirms the information associated with the certificate request, such as the domain name, certificate ID (ARN), and the AWS account ID initiating the request, and approves the request if the information is accurate.
When I request a certificate and choose email validation, to which email addresses is the certificate approval request sent?
Email Validation
AWS Certificate Manager | Security, Identity & Compliance
When you request a certificate using email validation, a WHOIS lookup for each domain name in the certificate request is used to retrieve contact information for the domain. Email is sent to the domain registrant, administrative contact, and technical contact listed for the domain. Email is also sent to five special email addresses, which are formed by prepending admin@, administrator@, hostmaster@, webmaster@ and postmaster@ to the domain name you’re requesting. For example, if you request a certificate for server.example.com, email is sent to the domain registrant, technical contact, and administrative contact using contact information returned by a WHOIS query for the example.com domain, plus admin@server.example.com, administrator@server.example.com, hostmaster@server.example.com, postmaster@server.example.com, and webmaster@server.example.com.
The five special email addresses are constructed differently for domain names that begin with “www” or wildcard names beginning with an asterisk (*). ACM removes the leading “www” or asterisk and email is sent to the administrative addresses formed by pre-pending admin@, administrator@, hostmaster@, postmaster@, and webmaster@ to the remaining portion of the domain name. For example, if you request a certificate for www.example.com, email is sent to the WHOIS contacts, as described previously, plus admin@example.com rather than admin@www.example.com. The remaining four special email addresses are similarly formed.
After you request a certificate, you can display the list of email addresses to which the email was sent for each domain using the ACM console, AWS CLI, or APIs.
Can I configure the email addresses to which the certificate approval request is sent?
Email Validation
AWS Certificate Manager | Security, Identity & Compliance
No, but you can configure the base domain name to which you want the validation email to be sent. The base domain name must be a superdomain of the domain name in the certificate request. For example, if you want to request a certificate for server.domain.example.com but want to direct the approval email to admin@domain.example.com, you can do so using the AWS CLI or API. See ACM CLI Reference and ACM API Reference for further details.
Can I use domains that have proxy contact information (such as Privacy Guard or WhoisGuard)?
Email Validation
AWS Certificate Manager | Security, Identity & Compliance
Yes; however, email delivery may be delayed as a result of the proxy. Email sent through a proxy may end up in your spam folder. Refer to the ACM User Guide for troubleshooting suggestions.
Can ACM validate my identity using the technical contact for my AWS account?
Email Validation
AWS Certificate Manager | Security, Identity & Compliance
No. Procedures and policies for validating the domain owner’s identity are very strict, and determined by the CA/Browser Forum which sets policy standards for publicly trusted certificate authorities. To learn more, please refer to the latest Amazon Trust Services Certification Practices Statement in the Amazon Trust Services Repository.
