1

I received an email from AWS that instructs me to renew my SSL certificate for my domain.

My certificate is managed by ACM and my DNS is hosted in Route 53.

I follow the instructions provided on this page (I'm using DNS verification):

https://docs.aws.amazon.com/acm/latest/userguide/gs-acm-validate-dns.html

However, after I follow the instructions I can see that the new certificate has appeared in ACM:

Status: Issued
In Use: No
Renewal eligibility: Ineligible

I can also see that in Route 53 a new CNAME record has been added.

Now, the document that outlines the steps to renew the certificate doesn't provide any next steps OR, if no extra steps are required, what the process is after the new certificate has been renewed.

My assumption is that once the old certificate expires that the new one automatically takes over, but, I have no way of telling if this is actually what is going to happen or not.

Are there any other steps I need to take after renewing a certificate in ACM with Route 53 CNAME validation?

Luke
  • 3,756
  • 7
  • 35
  • 39

1 Answers1

2

It isn't apparent exactly why, but you didn't actually "renew" your certificate -- it appears you were issued a new one.

This is actually better than renewing because verifying the transition is easier.

You'll need to go to the services using the cert (Load Balancers, Beanstalk, CloudFront, API Gateway) and reconfigure them to use the new cert. Once complete, "In use?" on the old cert changes to "No" and the new one says "Yes."

Michael - sqlbot
  • 21,988
  • 1
  • 57
  • 81
  • Hi. Thanks for that. You are correct. In my ELB I can choose which certificate to use. Apparently the new cert was already selected for me automatically. Just wish the docs would say this... :) – Luke Sep 24 '19 at 06:29