ACM Validation Domain

Sending validation emails to apex domain for subdomain requests.

Posted by Mike Apted on April 14, 2016

The release of AWS Certificate Manager has been a fantastic resource for zero cost issuance and management of SSL/TLS certificates for use in your AWS environments. As per the ACM marketing collateral:

With AWS Certificate Manager, you can quickly request a certificate, deploy it on AWS resources such as Elastic Load Balancers or Amazon CloudFront distributions, and let AWS Certificate Manager handle certificate renewals. SSL/TLS certificates provisioned through AWS Certificate Manager are free.

There are a couple small annoyances at this point, like not being able to specify an ACM certificate in CloudFormation templates for use in CloudFront, but these features eventually trickle down into CloudFormation.

I did run into an interesting wrinkle recently when attempting to request a certificate for a subdomain in the console. The default console behaviour is to send the validation emails to the domain registrant, technical contact, and administrative contact in WHOIS and the admin@, administrator@, hostmaster@, postmaster@ and webmaster@ addresses.

If there is no mail service for that subdomain and you would prefer to send the validation to the apex domain (or any superdomain of the domain you are requesting the certificate for) you will want to use the CLI to send that certificate request. This allows you to use the:


option to specificy the exact domain to send the validaton emails to. The value can be either a JSON string or a shorthand syntax. For example:

aws acm request-certificate --domain-name --domain-validation-options,




acm awscli security tls