If you want your website to be accessible securely, it needs an SSL certificate, which enables web browsers to confirm the site is genuinely who it claims to be. With this certificate, the website can be accessed via https in addition to http.
Our cloud provider, Amazon Web Services (AWS), create and manage SSL certificates for us, but they do of course, need to be authorised to do so (since you would not want just anybody to be able to create and manage certificates for your domain). This is achieved by your organisation providing proof that you control the domain you need the certificate for, via the creation of DNS entries.
Why we ask you to create a DNS entry
When we ask AWS to create a certificate for the domain *.example.com AWS need Passle to create a DNS entry for a specific domain, with a long unguessable name which might be something like _4aa3930127e6ca09111afd3b112f3c67.example.com. This DNS entry will be a CNAME pointing at a non-existent domain name such as _5f306a634c85653061c280155801050c.acm-validations.aws.
Only your organisation (specifically, your Technical Team colleagues) can create DNS entries for your domain, so no one else can provide AWS with this authorisation.
Once you have created the appropriate DNS record(s), AWS will detect this and create the requested certificate. In addition, when the certificate is due for renewal, AWS will do so automatically, with no additional input/work required.
Certificate auto renewal requires DNS validation; please retain certificate CNAMEs vs deleting them.
If a CNAME is no longer in place and DNS validation fails, we will contact you, to request that the relevant CNAME is reinstated.
Wildcard certificates
-
You will notice in the above example, the certificate was described as for *.example.com The ‘*’ means that any word can be substituted for the asterisk. So this wildcard certificate will work for insights.example.com, thoughtleadership.example.com, blog.example.com, or any other subdomain name you may choose.
If/when you need to add a new Passle or change the subdomain name of your existing Passle the certificate will continue to work (with no additional steps required).
The alternative is a non-wildcard certificate. In which case, the certificate would be only for the (single) specific current domain name such as insights.example.com, which would work perfectly, until a second Passle needs to be added.
If the need shoiuld arise to add an additional Passle e.g. thoughtleadership.example.com, we would provide you with new DNS entries, to share with your Technical Team collaeagues, for set up.
Equally, if the need arose to change from e.g. insights.example.com, to blog.example.com, we would provide you with new DNS entries, to share with your Technical Team collaeagues, for set up.
-
This is entirely up to you! A wildcard certificate as described above, can be a lot simpler in many ways. There is no extra work required, if/when changes to or additional Passle pages are needed, just set up a wildcard certificate once and never think about it again.
-
Some may be concerned that a wildcard certificate for *.example.com could in theory work for www.example.com, but rest assured, Passle can do with this information. *.example.com would not be pointing at our Passle web servers, so there would be no opportunity for Passle to 'pretend to be' *.example.com with such a wildcard certificate.
Some companies may have policies that state wildcard certificate(s) should not be created (e.g. if you do not need a wildcard domain then you should not have one). This OK with Passle, we are happy to work with your requirements.
Certificate creation
-
Amazon Web Services = AWS
AWS Certificate Manager = ACM
Passle utilises Amazon Web Services’ Certificate Manager service, to create and manage renewal of SSL certificates, which secure your (our clients’) Passle pages.
-
Creation and renewal of SSL certificates is achieved via DNS validation.
When setting up a Subdomain for your Passle (hub) page, AWS Certificate Manager, enables Passle to provide you with (one or more) CNAME records, which you add to your DNS and which match the data in Passle’s AWS Certificate Manager database. CNAMEs contain a unique key-value pair i.e. proof of domain ownership/control.
Read more about AWS Certificate Manager DNS validation
Certificate characteristics
Certificates provided by AWS Certificate Manager, feature the following characteristics:-
-
AWS Certificate Manager certificates, are valid for 198 days.
Since 18th February 2026, ACM certificates, now feature a maximum validity period of 198 days (reduced from the previous 395 days).
This change complies with new CA/Browser Forum mandated requirement for public certificates to be 200 days or less, from 15th March 2026.
Existing 395-day certificates remain valid until renewal.
Read more from CA/Browser Forum about (present and planned) Certificate operational periods and key pair usage periods
-
ACM public certificates are trusted by all major browsers including Google Chrome, Microsoft Edge, Mozilla Firefox, and Apple Safari (Java also trusts ACM certificates).
Browsers display a lock icon when connected by TLS to sites using ACM certificates.
-
Public certificates requested through ACM come from Amazon Trust Services, an Amazon-managed public certificate authority (CA).
Read more about AWS Certificate Manager public certificate characteristics and limitations
-
ACM manages the renewal and provisioning of ACM certificates. Automatic certificate renewal, reduces potential for downtime from e.g. misconfigured, revoked, or expired certificates.
-
Certificates are renewed automatically (using DNS validation).
If a certificate’s expiration is approaching but the CNAME for DNS validation is no longer in place, email notices are triggered to notify the Passle team and in turn, we would contact you, to advise that your Passle Pages SSL certificate is due to expire and request that the relevant CNAME is reinstated.
If you no longer wish to retain your subdomain, nor have the SSL certificate auto-renewed, simply remove the corresponding CNAMEs, which were set up on your DNS (for the Passle page and SSL).
Read more about Managed certificate renewal in AWS Certificate Manager.