Automating email validation - Amazon Certificate Manager
Validation email templatesValidation workflow
Services or capabilities described in Amazon Web Services documentation might vary by Region. To see the differences applicable to the China Regions, see Getting Started with Amazon Web Services in China (PDF).

Automating email validation

Email-validated ACM certificates normally require manual action by the domain owner. Organizations dealing with large numbers of email-validated certificates may prefer to create a parser that can automate the required responses. To assist customers using email validation, the information in this section describes the template used for domain validation email messages and the workflow involved in completing the validation process.

Validation email templates

Validation email messages have the following format. The content of the highlighted strings should be replaced with values that are specific to the domain being validated.

Validating a new certificate

Email template text:

Greetings from Amazon Web Services,

We received a request to issue an SSL/TLS certificate for requested_domain.	
Verify that the following domain, Amazon Web Services account ID, and certificate identifier correspond 
to a request from you or someone in your organization.

Domain: fqdn
Amazon Web Services account ID: account_id
Amazon Web Services Region name: region_name
Certificate Identifier: certificate_identifier

To approve this request, go to Amazon Certificate Approvals 
(https://region_name.acm-certificates.amazonaws.cn/approvals?code=validation_code&context=validation_context) 
and follow the instructions on the page.

This email is intended solely for authorized individuals for fqdn. To express any concerns
about this email or if this email has reached you in error, forward it along with a brief 
explanation of your concern to validation-questions@amazon.com.

Sincerely,
Amazon Web Services

Once you receive a new validation message from Amazon, we recommend that you use it as the most up-to-date and authoritative template for your parser. Customers with message parsers designed before November, 2020, should note the following changes that may have been made to the template:

  • The email subject line now reads "Certificate request for domain name" instead of "Certificate approval for domain name".

  • The Amazon account ID is now presented without dashes or hyphens. 

  • The Certificate Identifier now presents the entire certificate ARN instead of a shortened form, for example, arn:aws:acm:us-east-1:000000000000:certificate/3b4d78e1-0882-4f51-954a-298ee44ff369 rather than 3b4d78e1-0882-4f51-954a-298ee44ff369.

  • The certificate approval URL now contains acm-certificates.amazonaws.cn instead of certificates.amazon.com.

  • The approval form opened by clicking the certificate approval URL now contains the approval button. The name of the approval button div is now approve-button instead of approval_button.

  • Validation messages for both newly requested certificates and renewing certificates have the same email format.

Validation workflow

This section provides information about the renewal workflow for email-validated certificates.

  • When the ACM console processes a multi-domain certificate request, it sends validation email messages to the first domain it finds that includes an MX record. The domain owner needs to validate an email message for each domain before ACM can issue the certificate. For more information, see Using Email to Validate Domain Ownership.

  • Email validation for multi-domain certificate requests using the ACM API or CLI results in an email message being sent by default to the apex domain and to each subdomain. The domain owner needs to validate an email message for each of these domains before ACM can issue the certificate.

    Note

    Prior to November, 2020, customers needed to validate only the apex domain and ACM would issue a certificate that also covered any subdomains. Customers with message parsers designed before that time should note the change to the email validation workflow.

  • With the ACM API or CLI, you can force all validation email messages for a multi-domain certificate request to be sent to the apex domain. In the API, use the DomainValidationOptions parameter of the RequestCertificate action to specify a value for ValidationDomain, which is a member of the DomainValidationOption type. In the CLI, use the --domain-validation-options parameter of the request-certificate command to specify a value for ValidationDomain.