How do I use email to validate my certificate domains during the AWS Certificate Manager (ACM) managed renewal process?

ACM provides managed renewal for Amazon-issued SSL/TLS certificates. If the certificate was issued by ACM and it is associated to one of the Services Integrated with AWS Certificate Manager, ACM begins the renewal process 60 days before the certificate expires.

ACM will try to automatically validate each domain name in the certificate by establishing an HTTPS connection. If ACM successfully establishes an HTTPS connection and the certificate matches the certificate that ACM is renewing, it considers the domain ownership validated.

When all the domains have been validated, the certificate is renewed automatically. If you have certificates for the same domain name in multiple AWS Regions, ACM renews each certificate independently. For more information, see How Domain Validation Works.

If the certificate is 45 days from expiration and ACM is unable to automatically validate one or more domain names in a certificate, you must manually validate your domain Using Email to Validate Domain Ownership. For more information, see When Automatic Validation Fails. If one or more domain names were not validated before the certificate expired, the renewal fails, and you must Request a new certificate.

To request that ACM resend the validation email, you can Request a Domain Validation Email for Certificate Renewal after the manual renewal process has started. If you don't have a mail exchanger record (MX record), or if you have enabled domain privacy, ACM cannot send the validation email. For more information, see Troubleshoot Email Problems.


Did this page help you? Yes | No

Back to the AWS Support Knowledge Center

Need help? Visit the AWS Support Center

Published: 2018-06-01