diff --git a/packages/@aws-cdk/aws-certificatemanager/lib/certificate.ts b/packages/@aws-cdk/aws-certificatemanager/lib/certificate.ts
index 699c6db692f8a..d5c26e65b6d52 100644
--- a/packages/@aws-cdk/aws-certificatemanager/lib/certificate.ts
+++ b/packages/@aws-cdk/aws-certificatemanager/lib/certificate.ts
@@ -1,4 +1,4 @@
-import { Construct, IResource, Resource } from '@aws-cdk/core';
+import { Construct, IResource, Resource, Token } from '@aws-cdk/core';
 import { CfnCertificate } from './certificatemanager.generated';
 import { apexDomain } from './util';
 
@@ -103,11 +103,15 @@ export class Certificate extends Resource implements ICertificate {
      * Closes over props.
      */
     function domainValidationOption(domainName: string): CfnCertificate.DomainValidationOptionProperty {
-      const overrideDomain = props.validationDomains && props.validationDomains[domainName];
-      return {
-        domainName,
-        validationDomain: overrideDomain || apexDomain(domainName)
-      };
+      let validationDomain = props.validationDomains && props.validationDomains[domainName];
+      if (validationDomain === undefined) {
+        if (Token.isUnresolved(domainName)) {
+          throw new Error(`When using Tokens for domain names, 'validationDomains' needs to be supplied`);
+        }
+        validationDomain = apexDomain(domainName);
+      }
+
+      return { domainName, validationDomain };
     }
   }
 }
diff --git a/packages/@aws-cdk/aws-certificatemanager/test/test.certificate.ts b/packages/@aws-cdk/aws-certificatemanager/test/test.certificate.ts
index 3e012f6a21468..63f192e0c59fb 100644
--- a/packages/@aws-cdk/aws-certificatemanager/test/test.certificate.ts
+++ b/packages/@aws-cdk/aws-certificatemanager/test/test.certificate.ts
@@ -1,5 +1,5 @@
 import { expect, haveResource } from '@aws-cdk/assert';
-import { Stack } from '@aws-cdk/core';
+import { Lazy, Stack } from '@aws-cdk/core';
 import { Test } from 'nodeunit';
 import { Certificate, ValidationMethod } from '../lib';
 
@@ -54,7 +54,7 @@ export = {
     test.done();
   },
 
-  'can configure validatin method'(test: Test) {
+  'can configure validation method'(test: Test) {
     const stack = new Stack();
 
     new Certificate(stack, 'Certificate', {
@@ -69,4 +69,39 @@ export = {
 
     test.done();
   },
+
+  'needs validation domain supplied if domain contains a token'(test: Test) {
+    const stack = new Stack();
+
+    test.throws(() => {
+      const domainName = Lazy.stringValue({ produce: () => 'example.com' });
+      new Certificate(stack, 'Certificate', {
+        domainName,
+      });
+    }, /'validationDomains' needs to be supplied/);
+
+    test.done();
+  },
+
+  'validationdomains can be given for a Token'(test: Test) {
+    const stack = new Stack();
+
+    const domainName = Lazy.stringValue({ produce: () => 'my.example.com' });
+    new Certificate(stack, 'Certificate', {
+      domainName,
+      validationDomains: {
+        [domainName]: 'example.com'
+      }
+    });
+
+    expect(stack).to(haveResource('AWS::CertificateManager::Certificate', {
+      DomainName: 'my.example.com',
+      DomainValidationOptions: [{
+        DomainName: 'my.example.com',
+        ValidationDomain: 'example.com'
+      }]
+    }));
+
+    test.done();
+  },
 };