diff --git a/aws_acm_certificates.tf b/aws_acm_certificates.tf
index 1d578df..62f4b3e 100644
--- a/aws_acm_certificates.tf
+++ b/aws_acm_certificates.tf
@@ -10,6 +10,7 @@ resource "aws_acm_certificate" "certificate" {
 }
 
 resource "aws_acm_certificate_validation" "cert" {
+  count                   = var.whitelabel_domain ? 0 : 1
   provider                = aws.cloudfront
   certificate_arn         = aws_acm_certificate.certificate.arn
   validation_record_fqdns = [for record in aws_route53_record.certificate_validation : record.fqdn]
diff --git a/aws_cloudfront_distribution.tf b/aws_cloudfront_distribution.tf
index b103e67..c4cecf0 100644
--- a/aws_cloudfront_distribution.tf
+++ b/aws_cloudfront_distribution.tf
@@ -16,7 +16,7 @@ resource "aws_cloudfront_distribution" "s3_distribution" {
 
   viewer_certificate {
     cloudfront_default_certificate = var.use_cloudfront_default_certificate
-    acm_certificate_arn            = aws_acm_certificate.certificate.arn
+    acm_certificate_arn            = var.use_cloudfront_default_certificate ? "" : aws_acm_certificate.certificate.arn
     ssl_support_method             = "sni-only"
     minimum_protocol_version       = var.minimum_protocol_version
   }
@@ -28,9 +28,7 @@ resource "aws_cloudfront_distribution" "s3_distribution" {
     response_page_path    = "/index.html"
   }
 
-  aliases = [
-    var.distribution_fqdn
-  ]
+  aliases = var.use_cloudfront_default_certificate ? [] : [var.distribution_fqdn]
 
   logging_config {
     bucket          = module.bucket_cloudwatch_logs_backup.s3_bucket_bucket_domain_name
diff --git a/outputs.tf b/outputs.tf
index 5779ef8..264bd8b 100644
--- a/outputs.tf
+++ b/outputs.tf
@@ -11,5 +11,5 @@ output "identity" {
 }
 
 output "domain_validations" {
-  value = aws_route53_record.certificate_validation
+  value = aws_acm_certificate.certificate.domain_validation_options
 }