Domain Control Validation (DCV) helps prevent the unauthorized issuance of SSL certificates. Without it, SSL activation is not possible. This guide covers the DCV process and shows you how to pass it in several ways. Use the DCV method for SSL certs most suitable to your skills and situation.
Table of Contents
- What is Domain Control Validation (DCV)?
- What Are the DCV Methods?
- Final Step: Check the CAA Record
What is Domain Control Validation (DCV)?
Domain Control Validation is one of the checks Certificate Authorities perform to verify that the person who applies for an SSL certificate owns the domain or has administrator rights over it. Every applicant must pass DCV before receiving the SSL certificate from the CA. It doesn’t require any paperwork, and the process is straightforward.
What Are the DCV Methods?
To confirm you have admin access to the domain you want to encrypt, the CAs provide three DCV methods. We’ll explore them in great detail.
1. Email Validation
The most popular and easy way to validate an SSL certificate is via email. The CA will send you an approval email to the WHOIS or domain-based email address with the validation code. Open the link inside the email and paste the validation code to pass the DCV. The entire process is automated and should take less than 5 minutes to obtain a Domain Validation certificate.
Only specific domain-based or your contact email address from WOIS is eligible for the DCV email method. The problem with WHOIS email is that it is usually hidden for privacy reasons, and the CAs can’t see it. If you don’t know your WHOIS email address, check your domain control panel or contact your domain registrar.
Alternatively, use one of the following pre-approved domain-based emails:
Please replace @yoursite.com with your domain name.
Didn’t receive the validation email? Here’s what to do:
- Check your spam and junk folder. Email filters may mistakenly mark the CA email as spam.
- Double-check your email address. Ensure the address is acceptable and it doesn’t have any typos.
- Resend your email.
- If nothing works, seek support from your SSL provider.
I selected an email address that doesn’t exist…
If you chose an inexistent email address, don’t panic. It’s pretty for inexperienced admins to enter a domain-based email address that has not been created yet. The solution is simple:
- Go to your hosting dashboard and create the domain-based email address you specified for the validation.
- Resend the approval email.
Important! As of June 16, 2021, Sectigo no longer accepts WHOIS-based email addresses for Domain Control Validation (DCV).
2. DNS Validation
DNS validation is a more technical method. It requires you to create a CNAME record (a type of DNS record that maps an alias name to a canonical name for a domain) in the DNS settings of your domain.
In simple terms, DNS, which stands for domain name system, is like a phonebook for the Web, connecting web browsers with websites. It translates human-readable domain names like yoursite.com into machine-readable IP addresses like 188.8.131.52, for example.
If you select the DNS method, you will receive unique validation record values for your particular order. You can find the record in your SSL vendor account.
During SSL validation, your CA verifies that the entity requesting the SSL certificate is the legitimate owner of the domain. One method that a CA can use to verify domain ownership is to check for a DNS TXT record with a specific value. The CA will provide you with a unique value to add to the DNS TXT record, and the CA will then check to ensure that the record contains that value. By checking for the DNS TXT record, the CA can be sure that the domain belongs to you.
After SSL certificate activation, you must add the pre-defined domain record values to your domain registrar (the website where you registered your domain name). Ensure that your firewall doesn’t block the CA’s validation robot.
- Log into your domain registrar account and go to your domain’s DNS settings.
- Create the CNAME record using the domain record value from your vendor account.
- Set up the minimal available TTL (Time to Live) for the record to avoid long delays while the record propagates or you create it incorrectly.
Check Your CNAME Record
Sectigo and GoGetSSL require a CNAME DNS type, which looks like this:
DigiCert, Thawte, GeoTrust, and RapidSSL require TXT DNS type, which looks like this:
yourwebsite.com TXT “w34f54t4t45t354eer98rn4jf4449nfrf”
dnsauth.yourwebsite.com TXT “w34f54t4t45t354eer98rn4jf4449nfrf”.
I’ve Set Up the CNAME Record, What’s Next?
Newly added DNS records take up to 72 hours to propagate worldwide, although it typically takes a few hours. For this reason, you might wait up to three days to complete the activation process. Generally, the other two options are more suitable if your order a Domain Validation certificate and want it available in just a few minutes.
Important! This method is no longer available when validating Wildcard SSL certificates.
This method requires you to upload the TXT validation file to your domain’s directory. Ensure you can connect to your hosting account via your dashboard or FTP and that your CA can access it from any web browser.
The CA will scan your website and look for this file at the indicated link. Once the CA’s crawler finds the TXT file on your website, your SSL certificate will pass the domain validation.
The HTTPS validation method is the same as described above. You should choose the HTTPS option if you already have an SSL Certificate on your website.
Where Do I Get the Validation File?
You will find the validation file in your vendor’s account after you select the file-based option. The validation file is a .txt file named with numbers and letters (example: B4DS4C5H73UFGJDHJ.txt).
After you have downloaded the validation file, it is necessary to upload it to your hosting server/panel. You should upload the file into the “.well-known” folder and “pki-validation” subfolder of the document root directory for the domain name.
As a result, the validation file should be accessible via the requested path for the validation: http://yoursite.com/.well-known/pki-validation/B4DS4C5H73UFGJDHJ.txt.
3. Brand Validation
In some rare instances, the CA may require manual Domain Validation, also known as Brand Validation. It takes up to 48 hours to pass this manual check, and the CA will either issue or reject an order in such cases. Here are the most common reasons for your order going under Brand validation:
- The domain name is blacklisted or has a questionable reputation.
- The domain name includes stop words like online, secure, payment, bank, and many others that automatically trigger the validation system to reject them; hence, manual verification is required.
- The domain name may have a hidden brand name. For instance, your domain is “sibmama.com,” but the automated validation system may read it as “sIBMama” and flag the “IBM” brand for a manual check.
- Your order comes from a restricted country.
Final Step: Check the CAA Record
As of 8th September 2017, all Certificate Authorities (CAs) must adhere to your CAA policy as a security measure.
The CAA record should allow the CA to issue the SSL for your domain name; otherwise, the order will be set as Pending until you update the record.
By default, if no CAA record exists, any CA may issue SSL for your domain name. Otherwise, you should update your CAA record.
In conclusion, Domain Control Validation is essential for ensuring web communications security, protecting users from potential risks, and preventing unauthorized certificate issuance. With various validation methods available, DCV is relatively quick and easy. This a necessary step for any website owner looking to obtain a domain control validated SSL certificate and establish a secure online presence.
Computer security vector created by freepik – www.freepik.com
Save 10% on SSL Certificates when ordering today!
Fast issuance, strong encryption, 99.99% browser trust, dedicated support, and 25-day money-back guarantee. Coupon code: SAVE10
Frequently Asked Questions
How Long Does DCV Validation Take?
The time it takes to complete the DCV validation process can vary depending on the chosen validation method and the responsiveness of the domain owner. However, compared to Business Validation which takes 1-2 days, in most cases, users pass the DCV in just a few minutes.
What Happens if the DCV Fails?
If the DCV fails, the SSL certificate cannot be issued, and the domain owner must take corrective action to resolve the issue. They should double-check the authorization email address or DNS record, ensure the file is in the correct location, and that the website is accessible.
What Is the Easiest DCV Method?
The easiest DCV method is typically email validation. The email method is straightforward and doesn’t require any technical knowledge or changes to the website or DNS configuration. However, other DCV methods are also simple if you have basic knowledge of DNS and hosting management.