Issue SSL Certificate in AWS Certificate Manager with Shell Script

Yoshihiro ITO
2 min readDec 26, 2020


Today, I introduce you to issue SSL certificate inAWS Certificate Manager (ACM) with a shell script.


The procedure for issuing an SSL certificate in ACM is not a repetitive process, so I think many people create it manually without putting it in IaC. Although it is manual work, it is troublesome to do it every time with the management console, so I tried to script it using the AWS CLI.

How to issue certificate in ACM with AWS CLI

Before scripting it, let’s review how to issue a certificate with the AWS CLI.

Note: In this article I use AWS CLI v2, but you can also use v1.

1. Request issuing certificate

First, I request issuing certificate to ACM.

$ HOSTED_DOMAIN="<your-hosted-domain-name-on-route-53>"
$ TARGET_DOMAIN="<sub-domain-you-want-to-request>.${HOSTED_DOMAIN}"
$ aws acm request-certificate \
--domain-name ${TARGET_DOMAIN} \
--validation-method DNS

It will be needed the ARN of the requested certificate later, so set it in a variable CERT_ARN.

$ CERT_ARN=$( \
aws acm list-certificates \
--query "CertificateSummaryList[?DomainName=='${TARGET_DOMAIN}'].CertificateArn" \
--output text ) \
&& echo "${CERT_ARN}"


2. Validate domain

Second, I create record set in Route 53 for validating domain. In this step, record set information for validating domain. So use acm describe-certificate command to get it.

aws acm describe-certificate \
--certificate-arn ${CERT_ARN} \
--query "Certificate.DomainValidationOptions[0].ResourceRecord.Name" \
--output text) \
aws acm describe-certificate \
--certificate-arn ${CERT_ARN} \
--query "Certificate.DomainValidationOptions[0].ResourceRecord.Value" \
--output text) \
&& echo "

= _6709bba0b171XXXXXXXXXXXXXXXXXXXX.<your-domain>.

And use route53 list-hosted-zones to get HostedZoneId.

aws route53 list-hosted-zones \
--query "HostedZones[?Name=='${HOSTED_DOMAIN}.'].Id" \
--output text) \
&& echo ${HOSTED_ZONE_ID}

Use route53 change-resource-record-sets command to create record set in Route 53.

$ aws route53 change-resource-record-sets \
--hosted-zone-id ${HOSTED_ZONE_ID} \
--change-batch \
\"Changes\": [
\"Action\": \"CREATE\",
\"ResourceRecordSet\": {
\"Type\": \"CNAME\",
\"TTL\": 300,
\"ResourceRecords\": [{\"Value\": \"${VALIDATION_RECORD_VALUE}\"}]

3. Check validation status

Use acm describe-certificate to check validation status.

$ aws acm describe-certificate \
--certificate-arn ${CERT_ARN} \
--query "Certificate.DomainValidationOptions[0].ValidationStatus" \
--output text

Scripting this process

Now, let’s make the steps up to this point into a shell script.

How to use this script?

It is easy to use this script.

Please save it as and add execution permission by chmod +x command , and run command like following.

$ ./ <your-hosted-domain> <domain-you-want-to-issue-certificate> <region-you-want-to-issue>