What should the security engineer do to correct this issue?

By:
In: SCS-C01
Tagged:
With: 1 Comment
A company uses AWS Certificate Manager (ACM) to automate the renewal of SSL/TLS certificates that the company’s Elastic Load Balancers use.The company recently noticed that ACM was unable to automatically renew some certificates.These certificates have a status of “pending validation” in the ACM console.A security engineer configured the certificates by using DNS validation.The security engineer has verified that the existing certificates have not expired.

What should the security engineer do to correct this issue?

Manually validate ownership of each domain in the ACM console.

Verify that the DNS CNAME for each domain matches the ACM certificate CNAME record.

Export and then reimport the certificates into ACM.

Validate the ownership of each domain by using email validation.

Explanations:

Manually validating ownership is not required since DNS validation was already configured. The issue likely lies with DNS records not being correctly updated or verified.

The “pending validation” status indicates that the DNS validation CNAME record may not be properly set or is not matching the expected value. Verifying the DNS CNAME ensures that the correct validation record is present for ACM to validate ownership.

Exporting and reimporting the certificates does not resolve DNS validation issues. The problem is with the validation process, not with the certificates themselves.

The security engineer has already configured DNS validation. Switching to email validation would not address the current issue and would require reconfiguration of the validation method.

2025-10-15

1 Comment

  1. Susan
    Author

    I value that the answer is:
    Verify that the DNS CNAME for each domain matches the ACM certificate CNAME record.

Leave a Reply to Susan Cancel reply

Your email address will not be published. Required fields are marked *

18 + nineteen =