‹ Return to How tos

Verify an SSL/TLS certificate in Amazon Lightsail

Last updated: January 18, 2019

After you create your Lightsail load balancer and create a certificate, you need to verify that you control all the domains and subdomains where you want to have encrypted (HTTPS) traffic.


For more information about Lightsail load balancers, see Amazon Lightsail load balancers.


Step 1: Create a Lightsail DNS zone for your domain

If you haven't done so already, create a Lightsail DNS zone for your domain. For more information, see Creating a DNS zone to manage your domain’s DNS records in Amazon Lightsail

Step 2: Add records to your domain's DNS zone

The certificate that you created in the Lightsail load balancer provides a set of canonical name (CNAME) records. You add these records to your domain's DNS zone to validate that you own or control that domain. In the following steps, we'll show you how to get the CNAME records and add them to your domain's DNS zone in the Lightsail console.

  1. Sign in to the Lightsail console.

  2. On the Lightsail home page, choose the Networking tab.

  3. Choose the load balancer that you want to manage.

  4. Choose the Inbound traffic tab.

  5. Scroll to the Certificates section of the page, then highlight all of the CNAME records displayed on the page, including the records for alternate domains and subdomains.

    Press Ctrl+C if you’re using Windows, or Cmd+C if you’re using Mac, to copy them to your clipboard.

    Certificate pending validation with domains and subdomains.
  6. Open a text editor, such as Notepad if you're using Windows, or TextEdit if you're using Mac. In the text file, press Ctrl+V if you’re using Windows, or Cmd+V if you’re using Mac, to paste the values into the text file.

    Leave this text file open; you will need these CNAME values when adding the records to your domain's DNS zone later in this guide.

    Text file with certificate CNAME records.
  7. Choose Home on the top navigation bar of the Lightsail console.

  8. Choose Networking on the Lightsail home page.

  9. Choose the DNS zone for the domain that will use the certificates.

  10. Choose Add record to add the first CNAME record.

  11. Choose CNAME for the record type.

  12. Toggle to the text file that contains the CNAME records for your certificates.

    Copy the Name of the CNAME record. For example, _1bfb0b9ef15a50f9041e559d2c67b760.example.com..

  13. Toggle to the DNS Zone management page and paste the Name into the Subdomain field.


    Adding a CNAME record that contains the domain name (such as .example.com) will result in duplication of the domain name (such as .example.com.example.com). To avoid duplication, edit the entry so that only the part of the CNAME that you need is added. This would be _1bfb0b9ef15a50f9041e559d2c67b760.

  14. Copy the Value of the CNAME record. For example, _c9a0c385eda13283350e35f297469a13.hkvuiqjoua.acm-validations.aws..

  15. Toggle to the DNS Zone management page and paste the Value into the Maps to field.

  16. Choose the Save icon to add the record.

  17. If you have alternate subdomains, choose Add record to add another record.


    To learn more about alternate domains or subdomains, see Add alternate domains and subdomains to your SSL/TLS certificate in Amazon Lightsail.

  18. Repeat steps 11 - 16 to add the CNAME record(s) for the alternate subdomains.

    You can also add an alias (A) record to point to your load balancer while you're on the DNS zone management page.

    When finished, your DNS zone should look like the following screenshot.

    CNAMES in Lightsail ready to be submitted for validation.

    After some time, your domain is verified and you will see the following message on the Inbound traffic tab of the load balancer management page.

    Successful validation of domain.

Next step

Once your domain is verified, you are ready to attach a validated SSL/TLS certificate to your Lightsail load balancer.