How do I issue an ACM certificate for a domain in a private hosted zone?

2 minute read

I want to issue an AWS Certificate Manager (ACM) certificate for a domain name that's in an Amazon Route 53 private hosted zone.

Resolution

Register your domain name and use a public hosted zone

ACM issues a public certificate only after it validates domain ownership. You can't request a public certificate for domain names that are in a private host zone because you can't prove the public domain ownership. Instead, you must register your domain name and use a public hosted zone.

For domain names that are in a private hosted zone, use AWS Private Certificate Authority (AWS Private CA) to request a private certificate. When you request a private certificate from AWS Private CA, you don't need to validate domain ownership.

Get a public ACM certificate for private subdomains in a public domain

You can have a split-DNS configuration where the domain is pubic and the subdomains are private. If you control the public domain, then you can still get a public ACM certificate for the private subdomains.

To use the domain's public hosted zone for domain validation, complete the following steps:

Request a certificate for the subdomain.
Add the CNAME record that ACM provides to your DNS configuration.
Publish the CNAME record in the public hosted zone.

After the CNAME record is visible in the public DNS, ACM validates the domain ownership and issues a public certificate for the private subdomain.

Related information

What is the best certificate service for my needs?

Topics: Security, Identity, & Compliance
Tags: AWS Certificate Manager
Language: English

AWS OFFICIALUpdated a year ago

1 Comment

this answer is not full. main domain may be public, for example: main.domain. but subdomains may still be private ones - like sub.main.domain. And in this case it is possible to prove ownership. With some specific record, for example.

so, there should be a way to get valid certificate for that kind of zones.

replied a year ago

Relevant content

ACM Certificate issued for an private hosted zone, status stuck on pending validation
rePost-User-6271219
asked 3 years ago
Can you validate an ACM public certificate using a domain record in a Route 53 private hosted zone?
Accepted Answer
AWS-User-2983741
asked 8 years ago
Issue ACM certificate for domain in private route53 zone
Paul
asked 3 years ago
How to use custom domain name with private API gateway
Accepted Answer
Salim
asked 3 years ago
ACM certificate validation pending with Route 53 hosted zone with parent domain in other DNS service
Accepted Answer
mikkok
asked 4 years ago
How can I resend the validation email to verify my domain for ACM?
AWS OFFICIALUpdated 2 years ago
How do I resolve CAA “Failed” error when an ACM certificate is issued or renewed?
AWS OFFICIALUpdated 2 years ago
How can I resolve certificate expired or "invalid certificate" errors when invoking an API Gateway API using a custom domain name?
AWS OFFICIALUpdated a year ago
Why didn't the CNAME record resolve for my ACM issued certificate and the DNS validation status is still "Pending validation"?
AWS OFFICIALUpdated a year ago
AWS re:Post Knowledge Center Spotlight: AWS Certificate Manager (ACM)
EXPERT
AWS Official
published 2 years ago