2 Answers
Interesting.
As always, when in doubt check the doco.
– https://docs.aws.amazon.com/acm/latest/userguide/managed-renewal.html
Thinking it through:
The Cert is issues for the domain / zone.
When you create the Cert, you need to prove that you own/control the Zone. This does not require it to be an AWS Domain (I have several with different domain authorities).
Once the certificate is issues, renewal is about refreshing the CA authority and issuing new Public key hashes, That is done by the CA not the Zone or DNS.
I will need to research this more to see if I have it right or not 🙂
– circa 2019 https://docs.aws.amazon.com/acm/latest/userguide/acm-ug.pdf
Nothing authoritative. I guess we will each need to test it 😀
Rusty
Moderator
Just wanted to drop some extra points into this!
ACM is happy to work with a Domain name from any registrar, hosted by any DNS service. The only thing you need is to have your domain verified for it to work with Route 53.
In terms of the auto-renewal, as long as your domain is validated, and you’re only using the certificates on AWS native services like CloudFront or Elastic Load Balancers, it will work without an issue. Where the auto-renewal doesn’t work is if you export the certificate from ACM (incurring a cost), and install it directly within an EC2 instance, or something similar. Since ACM doesn’t have the ability to reach that certificate, it can’t be automatically renewed, and instead would have to be done manually.
We’ve left some notes to update the course to this as well; hope this clarifies your queries!