Aws ACM - how does the verification of SSL cert in DNS work
Let's say I have created a public SSL cert in ACM and choose DNS validation.
After that, I will use this SSL cert in my Cloudfront Distribution.
I have just a fundamental knowledge of How DNS Server works.
From AWS.
The Domain Name System (DNS) is a directory service for resources connected to a network. On the internet, DNS servers are used primarily to translate from domain names to the numerical IP addresses that identify and locate resources such as computers and other devices. The databases on DNS servers contain domain records that are used for this translation and to enable other functionality. For example, A records are a type of DNS record used to map domain names to IPV4 addresses. MX records are used to route email. NS records list all of the name servers for the domain.
ACM uses CNAME (Canonical Name) records to validate that you own or control a domain. When you choose DNS validation, ACM provides you one or more CNAME records to insert into your DNS database. For example, if you request a certificate for the example.com domain with www.example.com as an additional name, ACM creates two CNAME records for you.
After the certificate request is sent, I need to add the DNS configuration of this cert in my DNS Record in order to verify the cert.
I am not sure what this step serves as.
- What is the purpose of this step?
- What will happen if I add this DNS configuration in other people's DNS record instead of mine?
Update
1.)
Sorry I know it seems a stupid question.
According to the comment, below situation would never happen?
my DNS Record
www.MyDomain.com. A 123.120.110.1
Tom DNS Record
www.TomDomain.com. A 123.120.110.1
2.)
Let's assume I help a client for the revamp of website ABC(domain name: https://example.com)
The client want to use the same domain name of website ABC.
After I finish the website, I created SSL certificate for the example.com and created a Cloudfront distribution for the build files.
The steps I should perform then:
a) provide the DNS configuration file obtained from SSL cert in ACM to client and let them add to their DNS Record.
b) add the SSL cert in my cloudfront Distribution.
c) the client add a CNAME record for https://example.com to point to cloudfront distribution domain name(d8abcbdbwbd.cloudfront.net etc)
Is it correct?
3.)
There is a SSL cert for domain myDomain.com.
my DNS Record
www.MyDomain.com. A 123.120.110.1
Tom DNS Record
www.TomDomain.com. A 123.120.110.2
If Tom add my SSL cert in his DNS Record, error will occur in his side?
- What is the purpose of this step?
Your quote explains why you have to do this: to validate that you own or control a domain.
- What will happen if I add this DNS configuration in other people's DNS record instead of mine?
SSL will not be issued as validation of the domain will fail. You can only validate the SSL if you own (or control) a domain, in which case you can explicitly add CNAME records that ACM will give you to use for validation.
Update:
If you control both
www.MyDomain.comandwww.TomDomain.comthen you can point them to the same IP. Thus, such a setup is possible.Yes. The CNAME generated by ACM for the verification will have to be added manually. Only if you use R53 to manage your domain, it can be added automatically. Also remember that the SSL must issued in
us-east-1region.You can have different domains on a single certificate. Thus if you register both these domains for SSL, two CNAME records will be generated for verification and you will have to add these records to their respective domain for verification.
Below is example with your two sample domains:
Since I don't control any of them, after 72h, validation expires.
- How to use MFA with AWS CLI?
- How do I get the URL for the item using the Amazon API
- How to make links work with exported sites when hosted on AWS Cloudfront?
- Error launching CloudFormation Template for CloudHSM
- Glacier as Resource in CloudFormation template?
- how to secure keys for API calls from android device to amazon services
- Why is this IAM policy denying access with an MFA session?
- AWS Lambda Function Trigger API Gateway Issue
- GetMyFeesEstimate API Amazon vba
- AWS Cloudformation !Ref SecurityGroup returns an invalid ID
- How to set up AWS Client VPN with Keycloak as IdP
- How to view/identify which process taking how much memory?
- using bottlenose in python to extract product price from Amazon in different locale
- Unable to delete cfn stack, role is invalid or cannot be assumed
- How to Set Up Account Linking for a Skill using Alexa API from Amazon?
- GitHub actions "aws: not found" error on ubuntu-latest with Godot CI
- Download file from S3 to Rails 4 app
- Cloudfront (CDN) with Internal Application Load Balancer
- Connecting private load balancer to cloud front distribution?
- Request to Amazon API with delphi : Got HTTP/1.1 403 Forbidden
- Amazon QuickSight Connects Over Internet Instead of VPC to Public Redshift Cluster
- Shift Lambda infrastructure to ECS
- IAM policy to allow EC2 instance API access only to modify itself
- How to match these 2 tables?
- What is the best way of getting files from AWS S3, inserting them into zip and uploading that zip to the bucket?
- What does this mean? An error occurred (SignatureDoesNotMatch) when calling the GetCallerIdentity operation: Signature expired
- AWS ElastiCache in cluster mode has no Primary / Reader endpoints
- How to query: filtering on multiple primary partition keys and range on primary sort key
- How can I get boto3 script to run as a Lambda function?
- Testing AWS CDK Applications Locally