Skip to content
Switch branches/tags

Latest commit


Git stats


Failed to load latest commit information.
Latest commit message
Commit time


You're using AWS, managing certificates through ACM, and DNS through Route53.

You want to create an ACM certificate using DNS validation, since you may not have email configured for the domain. And you want to automatically create the associated CNAME records for DNS validation in Route53. This mimics the "Create record in Route 53" button in the AWS Console (see DNS validation reference).

NOTE: this script was created for a single use case and may not function as intended for more general use. However, please feel free to modify it or submit PRs.


Creates an ACM certificate for a given domain name, with optional subject alternative names, using DNS validation.

Immediately creates the associated CNAME records for DNS validation in Route53. The script assumes that a Route 53 hosted zone tied to the domain exists (e.g. if you're creating a new certificate for, the script will create validation records in the hosted zone).

It will take a few minutes after you run the script for the certificate to be fully validated and issued.

By default, this creates ACM certificates in us-east-1, so that the certificates can be used by Cloudfront. You can pass in a custom region (see Usage section below).


Python Module

If you want to install as a python package, run:

pip install git+

Then, in your script:

from create_and_validate_acm_cert import DNSValidatedACMCertClient

cert_client = DNSValidatedACMCertClient(domain='') # defaults to using the 'default` aws profile on your machine and the 'us-east-1' aws region.
arn = cert_client.request_certificate()
# Create DNS validation records
# Wait for certificate to get to validation state before continuing
cert_client.wait_for_certificate_validation(certificate_arn=arn, sleep_time=5, timeout=600)

Command Line

First, you'll need to install the dependencies in requirements.txt:

pip install -r requirements.txt

Then, run the script:

python \
    --domain <domain> \
    --subject_alternative_names \
        <alternate name> \
        <another alternate name>

You can also pass a custom AWS profile name, or region:

python \
    --profile personal \
    --region us-east-1 \
    --domain <domain> \
    --subject_alternative_names \
        <alternate name> \
        <another alternate name>

Version History


  • Breaking change to package name (renamed from acm_factory -> create_and_validate_acm_cert)


I'm very grateful to the contributors to this tool, and the contributors to these libraries:

  • tldextract helps parse the TLD and domain portions of hosts.
  • boto3 makes working with the AWS API easy.


Creates an ACM certificate with DNS validation, creates the validation records directly in Route 53




No releases published


No packages published

Contributors 4