AWS Certificate Manager | Email Validation Flashcards

1
Q

What happens if I remove the CNAME record?

Email Validation

AWS Certificate Manager | Security, Identity & Compliance

A

ACM cannot issue or renew certificates for your domain using DNS validation if you remove the CNAME record.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
2
Q

What is email validation?

Email Validation

AWS Certificate Manager | Security, Identity & Compliance

A

With email validation, an approval request email is sent to the registered domain owner for each domain name in the certificate request. The domain owner or an authorized representative (approver) can approve the certificate request by following the instructions in the email. The instructions direct the approver to navigate to the approval website and click the link in the email or paste the link from the email into a browser to navigate to the approval web site. The approver confirms the information associated with the certificate request, such as the domain name, certificate ID (ARN), and the AWS account ID initiating the request, and approves the request if the information is accurate.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
3
Q

When I request a certificate and choose email validation, to which email addresses is the certificate approval request sent?

Email Validation

AWS Certificate Manager | Security, Identity & Compliance

A

When you request a certificate using email validation, a WHOIS lookup for each domain name in the certificate request is used to retrieve contact information for the domain. Email is sent to the domain registrant, administrative contact, and technical contact listed for the domain. Email is also sent to five special email addresses, which are formed by prepending admin@, administrator@, hostmaster@, webmaster@ and postmaster@ to the domain name you’re requesting. For example, if you request a certificate for server.example.com, email is sent to the domain registrant, technical contact, and administrative contact using contact information returned by a WHOIS query for the example.com domain, plus admin@server.example.com, administrator@server.example.com, hostmaster@server.example.com, postmaster@server.example.com, and webmaster@server.example.com.

The five special email addresses are constructed differently for domain names that begin with “www” or wildcard names beginning with an asterisk (*). ACM removes the leading “www” or asterisk and email is sent to the administrative addresses formed by pre-pending admin@, administrator@, hostmaster@, postmaster@, and webmaster@ to the remaining portion of the domain name. For example, if you request a certificate for www.example.com, email is sent to the WHOIS contacts, as described previously, plus admin@example.com rather than admin@www.example.com. The remaining four special email addresses are similarly formed.

After you request a certificate, you can display the list of email addresses to which the email was sent for each domain using the ACM console, AWS CLI, or APIs.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
4
Q

Can I configure the email addresses to which the certificate approval request is sent?

Email Validation

AWS Certificate Manager | Security, Identity & Compliance

A

No, but you can configure the base domain name to which you want the validation email to be sent. The base domain name must be a superdomain of the domain name in the certificate request. For example, if you want to request a certificate for server.domain.example.com but want to direct the approval email to admin@domain.example.com, you can do so using the AWS CLI or API. See ACM CLI Reference and ACM API Reference for further details.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
5
Q

Can I use domains that have proxy contact information (such as Privacy Guard or WhoisGuard)?

Email Validation

AWS Certificate Manager | Security, Identity & Compliance

A

Yes; however, email delivery may be delayed as a result of the proxy. Email sent through a proxy may end up in your spam folder. Refer to the ACM User Guide for troubleshooting suggestions.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
6
Q

Can ACM validate my identity using the technical contact for my AWS account?

Email Validation

AWS Certificate Manager | Security, Identity & Compliance

A

No. Procedures and policies for validating the domain owner’s identity are very strict, and determined by the CA/Browser Forum which sets policy standards for publicly trusted certificate authorities. To learn more, please refer to the latest Amazon Trust Services Certification Practices Statement in the Amazon Trust Services Repository.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly