For foo.com (which I own via R53, and associated hosted zone). Creating certificate cert.foo.com (and validating R53 records) works OK.
foo.com
cert.foo.com
Now
