AWS Certificate Manager | Provisioning a Certificate Flashcards
Is there a limit to the number of certificates I can provision with ACM?
Provisioning a Certificate
AWS Certificate Manager | Security, Identity & Compliance
You can provision up to 100 certificates per account in each Region by default. Each certificate provisioned with ACM can have up to ten fully qualified domain names. You may request a limit increase by visiting the AWS Support Center. Refer to the AWS Documentation for further details.
Back to Top
How can I provision a certificate from ACM?
Provisioning a Certificate
AWS Certificate Manager | Security, Identity & Compliance
You can use the AWS Management Console, AWS CLI, or ACM APIs/SDKs. To use the AWS Management Console, navigate to the Certificate Manager, choose Request a certificate, enter the domain name for your site, and follow the instructions on the screen to complete your request. You can add additional domain names to your request if users can reach your site by other names. Before ACM can issue a certificate, it validates that you own or control the domain names in your certificate request. You can choose DNS validation or email validation when requesting a certificate. With DNS validation, you write a record to the public DNS configuration for your domain to establish that you own or control the domain. After you use DNS validation once to establish control of your domain, you can obtain additional certificates and have ACM renew existing certificates for the domain as long as the record remains in place and the certificate remains in use. You do not have to validate control of the domain again. If you choose email validation instead of DNS validation, emails are sent to the domain owner requesting approval to issue the certificate. After validating that you own or control each domain name in your request, the certificate is issued and ready to be provisioned with other AWS services, such as Elastic Load Balancing or Amazon CloudFront. Refer to the ACM Documentation for details.
How long does it take for a certificate to be issued?
Provisioning a Certificate
AWS Certificate Manager | Security, Identity & Compliance
The time to issue a certificate after all of the domain names in a certificate request have been validated may be several hours or longer.
What happens when I request a certificate?
Provisioning a Certificate
AWS Certificate Manager | Security, Identity & Compliance
ACM attempts to validate ownership or control of each domain name in your certificate request, according to the validation method you chose, DNS or email, when making the request. The status of the certificate request is Pending validation while ACM attempts to validate that you own or control the domain. Refer to the DNS validation and Email validation sections below for more information about the validation process. After all of the domain names in the certificate request are validated, the time to issue certificates may be several hours or longer. When the certificate is issued, the status of the certificate request changes to Issued and you can start using it with other AWS services that are integrated with ACM.
Why is the status of my certificate request “Pending validation”?
Provisioning a Certificate
AWS Certificate Manager | Security, Identity & Compliance
Certificates that have been requested but not yet validated have status Pending validation. The domain in the certificate request must be validated before the certificate can be issued. To determine why your request may be in this state, please visit the ACM Troubleshooting Guide.
Why does the status of my certificate request appear as Failed?
Provisioning a Certificate
AWS Certificate Manager | Security, Identity & Compliance
The process for validating control of the domain can fail for several reasons. Reasons include, but are not limited to, the domain being included on a list of URLs for web resources that are believed to contain malware or phishing content. To determine why your request failed, please visit the ACM Troubleshooting Guide.
Why does the status of my certificate request appear as Validation timed out?
Provisioning a Certificate
AWS Certificate Manager | Security, Identity & Compliance
Requests for ACM certificates time out if they are not validated within 72 hours. Refer to the ACM User Guide for troubleshooting suggestions.
Does ACM support checking of DNS Certificate Authority Authorization (CAA) records?
Provisioning a Certificate
AWS Certificate Manager | Security, Identity & Compliance
Yes. DNS Certificate Authority Authorization (CAA) records allow domain owners to specify which certificate authorities are authorized to issue certificates for their domain. When you request an ACM Certificate, AWS Certificate Manager looks for a CAA record in the DNS zone configuration for your domain. If a CAA record is not present, then Amazon can issue a certificate for your domain. Most customers fall into this category.
If your DNS configuration contains a CAA record, that record must specify one of the following CAs before Amazon can issue a certificate for your domain: amazon.com, amazontrust.com, awstrust.com, or amazonaws.com. Refer to Configure a CAA Record or Troubleshooting CAA Problems in the AWS Certificate Manager User Guide for more information.