Use AWS Certificate Manager to generate certificates. 1) Astral will do this on behalf of end user. 2) Astral will verify that the end user is entitled to issue certs for the common name (consult Domain Ownership Registry).