How can I validate ACM certificates from Route 53?

4 minute read

I want to validate AWS Certificate Manager (ACM) certificates from Amazon Route 53.

Short description

There are two ways to validate domain ownership for an ACM certificate:

  1. DNS validation
  2. Email validation

When you use DNS validation to request an ACM certificate, ACM provides a CNAME record that you must add to your DNS configuration. ACM uses the CNAME record to validate ownership of domains. After ACM validates domain ownership, the certificate status updates from Pending validation to Issued.


Note: If you receive errors when running AWS Command Line Interface (AWS CLI) commands, make sure that you're using the most recent AWS CLI version.

If Route 53 is your domain's DNS service provider, then you can use a one-click option in the ACM console to create the CNAME. When you select this option, ACM automatically adds the record to the Route 53 hosted zone of the domain.

However, if either of the following cases are true, then you must add CNAME records manually:

  • You have multiple hosted zones for the same domain.
  • Your hosted zone is in a different account.

Apex domain certificate requests

Determine the name server (NS) record

1.    To find the DNS configuration for the appropriate hosted zone, run the following command:

For Linux and macOS:

$ dig NS

For Windows:

$ nslookup -type=ns

Note: Replace with your domain name.

2.    This command provides the name servers that are included in the name server (NS) record of the DNS configuration of the domain. Add the CNAME record to the Route 53 hosted zone that has the same NS record as the name servers in your output.

Here's an example output:

$ dig NS
; <<>> DiG 9.11.4-P2-RedHat-9.11.4-9.P2.amzn2.0.2 <<>>
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 56071
;; flags: qr rd ra; QUERY: 1, ANSWER: 4, AUTHORITY: 0, ADDITIONAL: 1

; EDNS: version: 0, flags:; udp: 4096


;; ANSWER SECTION: 300 IN NS 300 IN NS 300 IN NS 300 IN NS

Add CNAME records in Route 53

After you identify the appropriate hosted zone using the NS values, add your CNAME record to it:

1.    Open the Route 53 console.

2.    Navigate to the hosted zone of your domain. This hosted zone must have the same NS record as the name servers you identified in the previous task.

3.    Choose Create record.

4.    For Name, enter the Record Name of the CNAME that ACM generated, excluding the domain portion. For more information, see How CNAME records for ACM work.

5.    For Value, enter the complete Record Value that ACM provided.

6.    For Record type, choose CNAME - Routes traffic to another domain name and to some AWS resources.

7.    For Route Policy, choose Simple routing.

8.    Choose Create Records.

Verify the resolution of the CNAME record

To confirm that Route 53 added the CNAME record to your DNS configuration, run a command similar to the following examples:

For Linux and macOS:

dig +short

For Windows:

nslookup -type=cname

Note: Replace with your ACM CNAME record.

If you successfully added and propagated the CNAME record, then the command returns the CNAME record's value in the output.

Subdomain certificate requests

You have a separate hosted zone for your subdomain

Follow the previously described steps for apex domain certificate requests, and identify the NS record of the subdomain. To do this, replace the domain's name with the subdomain in the command.

If you receive an output with NS values, then add the CNAME records in the subdomain's hosted zone to match the output's NS values.

If you don't receive NS records after running the command, then verify that you properly configured subdomain delegation between your apex domain and subdomain. To do this, create a resource record with subdomain's NS record in the apex domain's hosted zone. For more information, see How do I create a subdomain for a domain hosted through Route 53?

You don't have a separate hosted zone for your subdomain

If there isn't a separate hosted zone for the subdomain, then add the CNAME records in the apex domain's hosted zone. Then, use the previously described steps for apex domain certificate requests to verify that the CNAME record resolves as expected.

Note: If there's a recent changes in the DNS configuration, you might experience propagation delays based on TTL values.

AWS OFFICIALUpdated 10 months ago