Domain Control Validation (DCV) is a step every applicant must pass before receiving the SSL certificate from the Certificate Authority. It doesn’t require any paperwork, and the process is straightforward. Certificate Authorities use DCV to verify the person making the request is authorized to use the domain related to that request.
To confirm you have admin access to the domain you want to encrypt, the CAs provide three validation options. In this guide, we’ll explore them in great detail.
The most popular and easy way to validate an SSL certificate is via email. The CA will send you an email to the WHOIS or domain-based email address with the validation code. Open the link inside the email and paste the validation code to pass the DCV. The entire process is automated and should take less than 5 minutes to obtain a Domain Validation certificate.
Only specific domain-based or your contact email address from WOIS is eligible for this type of validation. The problem with WHOIS email is that is usually hidden for privacy reasons, and the CAs can’t see it. If you don’t know your WHOIS email address, check your domain control panel or contact your domain registrar.
Alternatively, use one of the following pre-approved domain-based emails:
Please replace @yoursite.com with your domain name.
Didn’t receive the validation email? Here’s what to do:
- Check your spam and junk folder. Email filters may mistakenly mark as spam the CA email.
- Double-check your email address. Ensure the address is acceptable and it doesn’t have any typos.
- Resend your email.
- If nothing works, seek support from your SSL provider.
I selected an email address that doesn’t exist…
If you chose an inexistent email address, don’t panic. It’s pretty for inexperienced admins to enter a domain-based email address that has not been created yet. The solution is simple:
- Go to your hosting dashboard and create the domain-based email address you specified for the validation.
- Resend the approval email.
Important! As of June 16, 2021, Sectigo no longer accepts WHOIS-based email addresses for Domain Control Validation (DCV).
DNS validation is a more technical method. It requires you to create a CNAME record in the DNS settings of your domain. In simple terms, DNS, which stands for domain name system, is like a phonebook for the Web, connecting web browsers with websites. It translates human-readable domain names like yoursite.com into machine-readable IP addresses like 220.127.116.11, for example.
A CNAME (canonical name) record is used in the DNS to create an alias from one domain name to another domain name. For instance, you have a subdomain like news.yoursite.com, and you want this subdomain to point to your domain name yoursite.com. Instead of creating an A record for your subdomain and binding it to the IP address of your domain, you can create a CNAME record.
If you select the DNS method, you will receive unique validation record values for your particular order. You can find the record in your SSL vendor account.
After SSL certificate activation, you need to add the pre-defined domain record values to your domain registrar (the website where you registered your domain name). Ensure that your firewall doesn’t block the CA’s validation robot.
- Log into your domain registrar account and go to the DNS settings of your domain.
- Create the CNAME record using the domain record value from your vendor account.
- Set up the minimal available TTL (Time to Live) for the record to avoid long delays while the record propagates or you created it incorrectly.
Check your CNAME record
Sectigo and GoGetSSL require a CNAME DNS type, which looks like this:
DigiCert, Thawte, GeoTrust, and RapidSSL require TXT DNS type, which looks like this:
yourwebsite.com TXT “w34f54t4t45t354eer98rn4jf4449nfrf”
dnsauth.yourwebsite.com TXT “w34f54t4t45t354eer98rn4jf4449nfrf”.
Here’s a tool that checks your CAME record, and the same tool for the TXT type. Use it to ensure that you’ve set up the record correctly.
I’ve set up the CNAM record, what’s next?
Newly added DNS records take up to 72 hours to propagate worldwide, although it typically takes a few hours. For this reason, you might wait up to three days to pass the domain validation. Generally, the other two options are more suitable if your order a Domain Validation certificate and want it available in just a few minutes.
Important! This method is no longer available when validating Wildcard SSL certificates.
This method requires you to upload the TXT validation file to your domain’s directory. Make sure you can connect to your hosting account via your dashboard or FTP and that your CA can access it from any web browser.
The CA will scan your website and look for this file at the indicated link. Once the CA’s crawler finds the TXT file on your website, your SSL certificate will pass the domain validation.
The HTTPS validation method is the same as described above. You should choose the HTTPS option if you already have an SSL Certificate on your website.
Where do I get the validation file?
You will find the validation file in your vendor’s account after you select the file-based option. The validation file is a .txt file named with numbers and letters (example: B4DS4C5H73UFGJDHJ.txt).
After you have downloaded the validation file, it is necessary to upload it to your hosting server/panel. You should upload the file into the .well-known folder and pki-validation subfolder of the document root directory for the domain name.
As a result, the validation file should be accessible via the requested path for the validation: http://yoursite.com/.well-known/pki-validation/B4DS4C5H73UFGJDHJ.txt.
In some rare instances, the CA may require a manual Domain Validation, also known as Brand Validation. It takes up to 48 hours to pass this manual check, and the CA will either issue or reject an order in such cases. Here are the most common reasons for your order going under Brand validation:
- The domain name is blacklisted or has a questionable reputation.
- The domain name includes stop words like online, secure, payment, bank, and many others that automatically trigger the validation system to reject them; hence, manual verification is required.
- The domain name may have a hidden brand name. For instance, your domain is “sibmama.com,” but the automated validation system may read it as “sIBMama” and flag the “IBM” brand for a manual check.
- Your order comes from a restricted country.
Final Step: check the CAA record
As of 8th September 2017, all Certificate Authorities (CAs) must adhere to your CAA policy as a security measure.
The CAA record should allow the CA to issue the SSL for your domain name; otherwise, the order would be set as Pending until you update the record.
By default, if no CAA record exists, any CA may issue SSL for your domain name. Otherwise, you should update your CAA record.
Computer security vector created by freepik – www.freepik.com