Verify an SSL/TLS certificate in Amazon Lightsail
Last updated: November 1, 2022
After you create an SSL/TLS certificate in Lightsail, you need to verify that you control all the domains and subdomains that you added to the certificate.
Step 1: Create a Lightsail DNS zone for your domain
If you haven't done so already, create a Lightsail DNS zone for your domain. For more information, see Creating a DNS zone to manage your domain’s DNS records in Amazon Lightsail
Step 2: Add records to your domain's DNS zone
The certificate that you created provides a set of canonical name (CNAME) records. You add these records to your domain's DNS zone to verify that you own or control that domain.
Lightsail will attempt to automatically verify that you control the domains or subdomains you specified while creating the certificate. After you select Create certificate, the CNAME records will be added to your domain's DNS zone. The certificate's status will change from Attempting to validate your certificate, to Valid, in use if automatic validation is successful.
Proceed to the following steps if automatic validation fails.
In the following steps, we'll show you how to get the CNAME records and add them to your domain's DNS zone in the Lightsail console.
Sign in to the Lightsail console.
On the Lightsail home page, choose Account on the top navigation menu.
Choose Account in the dropdown menu.
Choose the Certificates tab.
Find the certificate that you want to verify, and make note of the Name and Value of the CNAME records that you must add for each domain
Press Ctrl+C if you’re using Windows, or Cmd+C if you’re using Mac, to copy them to your clipboard.
Open a text editor, such as Notepad if you're using Windows, or TextEdit if you're using Mac. In the text file, press Ctrl+V if you’re using Windows, or Cmd+V if you’re using Mac, to paste the values into the text file.
Leave this text file open; you will need these CNAME values when adding the records to your domain's DNS zone later in this guide.
Choose Home on the top navigation bar of the Lightsail console.
Choose Domains & DNS on the Lightsail home page.
Choose the DNS zone for the domain that will use the certificate.
Choose Add record in the DNS records tab.
Choose CNAME for the record type.
Toggle to the text file that contains the CNAME records for your certificates.
Copy the Name of the CNAME record. For example,
Toggle to the DNS records page and paste the Name into the Record name field.
Adding a CNAME record that contains the domain name (such as
.example.com) will result in duplication of the domain name (such as
.example.com.example.com). To avoid duplication, edit the entry so that only the part of the CNAME that you need is added. This would be
Copy the Value of the CNAME record. For example,
Toggle to the DNS records page and paste the Value into the Route traffic to field.
Choose Save to add the record.
If you have alternate subdomains, choose Add record to add another record.
To learn more about alternate domains or subdomains, see Add alternate domains and subdomains to your SSL/TLS certificate in Amazon Lightsail.
Repeat steps 11 - 17 to add the CNAME record(s) for the alternate subdomains.
You can also add an alias (A) record to point to your load balancer, or other Lightsail resources while you're on the DNS zone management page.
When finished, your DNS zone should look like the following screenshot.
After some time, your domain is verified and you will see the following message on the certificate.
Once your domain is verified, you are ready to attach a validated SSL/TLS certificate to your Lightsail load balancer.