Skip to content
Creates an ACM certificate with DNS validation, creates the validation records directly in Route 53
Branch: master
Clone or download
Type Name Latest commit message Commit time
Failed to load latest commit information.
create_and_validate_acm_cert Revving to v1.0.0, since we implemented a breaking change to the package Oct 7, 2018
.gitignore Adding build / dist dirs to .gitignore Oct 6, 2018
LICENSE Adding MIT License Dec 18, 2017 Renaming acm_factory -> create_and_validate_acm_cert Oct 6, 2018
Pipfile Adding Pipfile May 13, 2018 Simplifying certificate creation method and changing README, Oct 6, 2018
requirements.txt Working version Dec 18, 2017 Improving Oct 6, 2018


You're using AWS, managing certificates through ACM, and DNS through Route53.

You want to create an ACM certificate using DNS validation, since you may not have email configured for the domain. And you want to automatically create the associated CNAME records for DNS validation in Route53. This mimics the "Create record in Route 53" button in the AWS Console (see DNS validation reference).

NOTE: this script was created for a single use case and may not function as intended for more general use. However, please feel free to modify it or submit PRs.


Creates an ACM certificate for a given domain name, with optional subject alternative names, using DNS validation.

Immediately creates the associated CNAME records for DNS validation in Route53. The script assumes that a Route 53 hosted zone tied to the domain exists (e.g. if you're creating a new certificate for, the script will create validation records in the hosted zone).

It will take a few minutes after you run the script for the certificate to be fully validated and issued.

By default, this creates ACM certificates in us-east-1, so that the certificates can be used by Cloudfront. You can pass in a custom region (see Usage section below).


Python Module

If you want to install as a python package, run:

pip install git+

Then, in your script:

from create_and_validate_acm_cert import DNSValidatedACMCertClient

cert_client = DNSValidatedACMCertClient(domain='') # defaults to using the 'default` aws profile on your machine and the 'us-east-1' aws region.
arn = cert_client.request_certificate()
# Create DNS validation records
# Wait for certificate to get to validation state before continuing
cert_client.wait_for_certificate_validation(certificate_arn=arn, sleep_time=5, timeout=600)

Command Line

First, you'll need to install the dependencies in requirements.txt:

pip install -r requirements.txt

Then, run the script:

python \
    --domain <domain> \
    --subject_alternative_names \
        <alternate name> \
        <another alternate name>

You can also pass a custom AWS profile name, or region:

python \
    --profile personal \
    --region us-east-1 \
    --domain <domain> \
    --subject_alternative_names \
        <alternate name> \
        <another alternate name>

Version History


  • Breaking change to package name (renamed from acm_factory -> create_and_validate_acm_cert)


I'm very grateful to the contributors to this tool, and the contributors to these libraries:

  • tldextract helps parse the TLD and domain portions of hosts.
  • boto3 makes working with the AWS API easy.
You can’t perform that action at this time.