AWS – CloudFormation now allows DNS-validated certificate management with Amazon Certificate Manager

As you know, Amazon Certificate Manager (ACM) is used to help managing certificates, from the creation to the renewal process.

Well, ACM can now be used by CloudFormation to automate SSL/TLS certificate management for DNS-validated certificates with domain managed by Amazon Route 53.

With this improvement you no longer need to manually validate your request.

To start using this new capability, you create a new CloudFormation template using the below sample

{
   “Type” : “AWS::CertificateManager::Certificate”,
   “Properties” : {
       “CertificateAuthorityArn” : String,
       “CertificateTransparencyLoggingPreference” : String,
       “DomainName” : String,
       “DomainValidationOptions” : [ DomainValidationOption, … ],
       “SubjectAlternativeNames” : [ String, … ],
       “Tags” : [ Tag, … ],
       “ValidationMethod” : String
     }
}

Where

  • CertificateAuthorityArn is the Amazon Resource Name (ARN) of the private certificate authority (CA) using the following form: arn:aws:acm-pca:region:account:certificate-authority/12345678-1234-1234-1234-123456789012
  • CertificateTransparencyLoggingPreference defines if you opt-in/opt-out for automatically log your certificate in a public CT log. Accepted values are enabled or disabled
  • DomainName (required) defines the full qualified domain name (like www.amazon.com) for which you want to generate/renew a certificate
  • DomainValidationOptions defines the validation option used to verify your identity. You can get the list of available validation options here https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-certificatemanager-certificate-domainvalidationoption.html
  • SubjectAlternativeNames if you want to define alternative names for your certificate; same as for the domain name, you need to use the FQDN
  • Tags helps you define tags to identify your certificate
  • ValidationMethod defines the validation method (DNS or email) to use for verifying your ownership. In the context of this post, you should then use the DNS option

Below is a sample of JSON file to create the new template

“mycertificate” : {
   “Type” : “AWS::CertificateManager::Certificate”,
   “Properties” : {
     “DomainName” : “mydomain.com”,
     “DomainValidationOptions” : [{
       “DomainName” : “mydomain.com”,
        “ValidationDomain” : “mydomain.com”
      }],
     “ValidationMethod” : “dns”
    }
  }

Benoit Hamet
Benoit Hamet
Benoit is working on Microsoft collaborative technologies He has been awarded as MVP for more than 12 years Currently MVP on Office 365 after being awarded on SharePoint (2011-2012) and Windows client & server (2002-2007) Speaker at various Microsoft events (TechDays, TechNet seminars) and Quest Software He works on on-premises (Active Directory, RADIUS/NPS, Exchange, Skype for Business, SharePoint, SQL, Terminal Server, Windows client and Windows Server) or online (Azure, Intune, Office 365, Exchange Online, SharePoint Online, Skype for Business Online, Teams) technologies