Renewal for domains validated by DNS - Amazon Certificate Manager
Services or capabilities described in Amazon Web Services documentation might vary by Region. To see the differences applicable to the China Regions, see Getting Started with Amazon Web Services in China (PDF).

Renewal for domains validated by DNS

Managed renewal is fully automated for ACM certificates that were originally issued using DNS validation.

At 60 days prior to expiration, ACM checks for the following renewal criteria:

  • The certificate is currently in use by an Amazon service.

  • All required ACM-provided DNS CNAME records (one for each unique Subject Alternative Name) are present and accessible via public DNS.

If these criteria are met, ACM considers the domain names validated and renews the certificate.

ACM sends Amazon Health events and Amazon EventBridge events when it cannot automatically validate a domain during renewal (for example, because of the presence of CAA record). These events are sent at 45 days, 30 days, 15 days, seven days, three days, and one day prior to expiration. For more information, see Amazon EventBridge support for ACM.