Provision SSL certification in anticipation of Netlify Transition

  • Name of site:

Hey Netlify Team,

We are planning a transition of our original domain to the Netlify DNS. We have our domain name and DNS set up in AWS Route53, and we would like a subdomain of to point to our production Netlify app

We are going to need SSL certificates for * and * in order to support branch subdomains. The first is to provision branch subdomains. The second, is to allow us to CNAME to point to the branch subdomain without any SSL issues.

Before we make this change, we want to test with our staging environment on a different domain with the same DNS and SSL setup.

Is this all possible with Netlify? Thanks for the help!

Zak Allen

howdy, sorry to be slow to reply. Is’s DNS managed by netlify?

No worries! Not yet - we currently have our staging domain being managed by Netlify. We currently have an NS entry on Route 53 for pointing to Netlify.

Hi, @shogun_enterprises, automatic SSL for branch subdomains only works if the custom domain is using Netlify DNS.

This custom domain ( is not using Netlify DNS:

$ whois | grep "Name Server"
Name Server:
Name Server:
Name Server:
Name Server:
Name Server: NS-1239.AWSDNS-26.ORG
Name Server: NS-41.AWSDNS-05.COM
Name Server: NS-1917.AWSDNS-47.CO.UK
Name Server: NS-682.AWSDNS-21.NET

So the automatic SSL for branch subdomains won’t work for this domain and the following instructions apply instead:

The configuration you described above does work with Netlify DNS. However, for external DNS services there is a manual process for SSL (as details in the support guide above).

If you want to test our automatic SSL certificates for branch subdomains, Netlify DNS must be enabled first.

​Please let us know if there are other questions about this.

So this only works If we have the top level domain DNS set to Netfify? We have the subdomain pointing to Netlify’s name servers, is that not sufficient (at least for the SSL certs underneath that domain like the branch domains like – I understand that requesting a * SSL certificate may be manual/impossible)? We were hoping to avoid transferring the TLD to Netlify as we use many Route53 specific features for our production domain

Either way, thank you for linking that guide

Hey @shogun_enterprises,
It looks like you’ve gotten this working by delegating your subdomain to Netlify and enabling Netlify DNS in your Netlify team for this site. It may continue to work as-is but I would expect not great performance with this DNS configuration. This is not ideal:

$ host has address has address
Host not found: 2(SERVFAIL) <--- not good
Host not found: 2(SERVFAIL) <--- not good

and the error shown here: | DNSViz

As the guide @luke shared mentions, you don’t have to use Netlify DNS to get SSL for your branch subdomains working. You can keep your DNS at AWS and create a CNAME record there linking your subdomain to your Netlify site:

From there, you will have to follow the branch deploy guide and reach out to us for the final step of getting your SSL cert that includes whatever branches you add. It is more manual, but is also a supported and performant configuration. Let us know if you’d like to go that route!

As for a wildcard certificate, we automatically create those for sites that use Netlify DNS. If you are not using Netilfy DNS, you will have to bring your own custom wildcard certificate- you can upload that in your site dashboard.