Domain Validation

All Business Validation Certificate Authorities Changes Code Signing Configuration CPAC CSR Code CSR Decoder CSR Generation Tutorials CSR Generator DigiCert Domain Validation Extended Validation General Install SSL Certificates Installation IP Address LEI Multi Domain Payments Private Key Renewal S/MIME Types Updates Wildcard
How to pass the Domain Validation?

When requesting an SSL Certificate you have to prove that you own or you have management rights over the domain or sub-domain that you are requesting an SSL Certificate for.

Important! As of June 16, 2021, Sectigo no longer accepts WHOIS-based email addresses for Domain Control Validation (DCV).

STEP 1: Domain Validation (DV)

A. EMAIL

If you have an SSL Certificate issued by Sectigo, GoGetSSL, GeoTrust, Thawte, DigiCert, and RapidSSL, then you can complete the domain validation is by responding to an automated domain validation message sent to your email address. You will be given a list of emails to choose from, and the automated domain validation message will be sent to the email address that you choose.

Always check your email address (including your Spam folder) so as you should receive an email message from the Certificate Authority with instructions on how to validate (prove the ownership of) your domain name. The email message will ask you to copy a unique code and paste it on a specific link provided in the same email message.

Important: Only 5 e-mail addresses are allowed for domain validation: admin@, administrator@, hostmaster@, webmaster@, and postmaster@.
In some cases, the Certificate Authority may allow your administrative e-mail from WHOIS, too, but ONLY IF the Private registration is disabled.

B. HTTP / HTTPS method

This method is Not Available for Wildcard SSL Certificates.

The HTTP validation consists of uploading a TXT validation file to a pre-defined location on your website. You have to make sure that you can access this file and link from any web browser. Once you proceed with this domain validation method, the CA will run a scan of your website and will look particularly for this file at the given link. Your SSL Certificate will pass the domain validation within a few minutes after the CA’s crawler system finds the TXT file on your website.

The HTTPS validation method is the same validation method as described above. You should choose the HTTPS option if you already have an SSL Certificate installed on your website.

C. DNS method

You can also add a pre-defined domain record to your domain registrar (the website where you registered your domain name). Make sure that your firewall doesn’t block the CA’s validation robot.

Sectigo and GoGetSSL require CNAME DNS type, which looks like:

_b2013ea8353c9760c0221c49dc3e8ca7.yourwebsite.com CNAME
165b83449f4fdf83021de4e6f6ee795a.4ae75dbefe3r7bb8a1878616d8b5ae4.5r4r46855d28f6903.comodoca.com

while DigiCert (Thawte, GeoTrust, RapidSSL) require TXT DNS type, which looks like:

yourwebsite.com TXT “w34f54t4t45t354eer98rn4jf4449nfrf”

or

dnsauth.yourwebsite.com TXT “w34f54t4t45t354eer98rn4jf4449nfrf”

Please note that newly added DNS records take between 10-48 minutes to propagate. This means that you will have to wait up to 48 hours to pass the domain validation if you go with this method. That is why we recommend the Email, HTTP, and HTTPS methods better because they would allow you to pass the domain validation instantly.

STEP 2: CAA Check

As of 8th September 2017, all Certificate Authorities (CAs) are obliged to respect your CAA policy, as a security measure.

The CAA record should allow the CA to issue the SSL for your domain name, otherwise, the order would be set as Pending until you update the record.

By default, if no CAA record found, any CA may issue SSL for your domain name. Otherwise, you should update your CAA record.

Here is how to do it:
– https://support.sectigo.com/Com_KnowledgeDetailPage?Id=kA01N000000zFMO
– https://docs.digicert.com/manage-certificates/dns-caa-resource-record-check/

Here is how to test the record:
– https://toolbox.googleapps.com/apps/dig/#CAA/
– https://caatest.co.uk/scan.org.ua

Optional (Rare) – Brand Validation (Manual Check)

In some cases, the CAs may require manual verification if your order fails any internal rules of Brand Validation.

It takes around 24-48 hours to pass this manual check, and the CA will either issue or reject an order in such cases.

Here are the reasons why your order is under Brand Validation.


How to change the domain validation method?

If you chose one of these domain validation methods described above, and you see that your domain doesn’t get validated, then you can always change your domain validation method. Please go to this link to learn how to do that.

Copy Link

How to pass the IP validation for a public IP address?

Certain SSL Certificates allow you to secure an IP address, only if it is a public IP address. The validation process for IP addresses is similar to validating a domain name, but it has its particularities. That is why we encourage you to follow the guidelines below.

GoGetSSL

STEP 1. First of all, you have to configure your SSL Certificate by filling in the configuration form inside your SSL Dragon account.

Important! When configuring your certificate, you will be asked to generate a CSR with NO Common Name. Here is how to do it.

STEP 2. Mention your IP address / IP addresses in the SANs field.

If you have just 1 IP address, just insert it in the SANs field, with no extra spaces or characters, e.g.:

123.34.34.234

If you have 2 or more IP addresses (if you purchased additional SANs), insert your IP address list in the SANs field, with each IP address space-separated, e.g.:

123.34.34.234
124.34.24.234

Important! This step is mandatory. Since the CSR has no IP address included in its fields, it’s important to mention your IP address / IP addresses in the SANs field. Otherwise, if you leave the SANs field blank, the SSL Certificate won’t be further configured and you’ll see an error message.

NOTE: if you need to secure an IP address and a domain name, GoGetSSL PublicIP SAN allows you to do that, but it needs manual configuration. Please open a ticket with us, send us the CSR (with No Common Name), the IP address, and the domain name. We’ll configure the SSL manually and provide you the instructions for further validation.

STEP 3. Once your certificate is configured, you have to prove the ownership or right to use that IP address. To do that, you have to pass the HTTP/HTTPS validation for your SSL Certificate. Email or DNS validation are not available for IP validation. To pass the HTTP/HTTPS validation, you have to create a .TXT file that contains the validation code provided on the “Content” field on the details page of your SSL Certificate page. The “Content” that you have to add to the .TXT file looks similar to this:

38622319C755B5952FA4CD590655F05000C4951C2EF07BFFCB2BBA23623BE9D6
COMODOCA.COM
t0520161001553133275

Then you have to upload the TXT file at a location on your server that looks like this:
http://127.0.0.1/.well-known/pki-validation/B34037F1D9BFE9F5936AFEA9798174AB.txt

127.0.0.1 should be replaced by the IP address that you are trying to validate. You can read the information on how to create the .well-known folder at this link: https://www.ssldragon.com/faq/create-well-known-folder/

Make sure that you can access this file and link from any web browser. Inform us when you uploaded the attached TXT file on your server so that we could run a scan of your website and look particularly for this file at this given link.

If you follow these steps exactly, you will get your IP address validated successfully.

NOTE: If you have a router to secure instead of a server, there is no way to upload the TXT file on your router. The solution to getting the IP addresses validated is to reroute the IP address to a server, put the TXT file on that server, pass the IP validation, and then reroute the IP address back to the router.

Sectigo

STEP 1. First of all, you have to configure your SSL Certificate by filling in the configuration form inside your SSL Dragon account. When configuring your certificate, you will be asked to generate a CSR or enter an existing CSR.

Please make sure you include your IP address as a “common name” (domain/IP that you want to secure) in your CSR.

STEP 2. Once your certificate is configured, you have to prove the ownership or right to use that IP address. To do that, you have to pass the HTTP/HTTPS validation for your SSL Certificate. Email or DNS validation are not available for IP validation. To pass the HTTP/HTTPS validation, you have to create a .TXT file that contains the validation code provided on the “Content” field on the details page of your SSL Certificate page. The “Content” that you have to add to the .TXT file looks similar to this:

38622319C755B5952FA4CD590655F05000C4951C2EF07BFFCB2BBA23623BE9D6
COMODOCA.COM
t0520161001553133275

Then you have to upload the TXT file at a location on your server that looks like this:
http://127.0.0.1/.well-known/pki-validation/B34037F1D9BFE9F5936AFEA9798174AB.txt

127.0.0.1 should be replaced by the IP address that you are trying to validate. You can read the information on how to create the .well-known folder at this link: https://www.ssldragon.com/faq/create-well-known-folder/

Make sure that you can access this file and link from any web browser. Inform us when you uploaded the attached TXT file on your server so that we could run a scan of your website and look particularly for this file at this given link.

If you follow these steps exactly, you will get your IP address validated successfully.

NOTE: If you have a router to secure instead of a server, there is no way to upload the TXT file on your router. The solution to getting the IP addresses validated is to reroute the IP address to a server, put the TXT file on that server, pass the IP validation, and then reroute the IP address back to the router.

STEP 3. The last step towards getting the SSL Certificate for your IP address is to pass the Business Validation. You can find detailed instructions on how to do that at this link: https://www.ssldragon.com/faq/how-to-pass-the-business-validation-for-my-ssl-certificate/

Copy Link

What documents should I provide for a DV SSL Certificate?

In order to buy a Domain Validated certificate, you do not need to provide any documentation. You will have to confirm the domain ownership through a simple email, DNS record, or file-based authentication (except wildcard SSL certificates). Following completion of one of these elements, the DV certificate will be signed and released to you.

Copy Link

What is a Domain Validated (DV) SSL certificate?

The Domain Validation (DV) SSL certificate is the most affordable choice for increasing the security of your blog, personal or small business website. Since there is no required paperwork, the process of acquiring the Domain Validation certificate is very quick and easy: you will have to prove that you are the domain owner just by responding to an automatic e-mail message. After a couple of minutes, you will receive the issued SSL certificate which can be installed immediately. Sites with Domain Validation certification can be identified by the padlock that is displayed by most web browsers.

This type of SSL certificates is recommended to be used if you need to prove that your site is secured, by having a secured connection. The Domain Validation certificates don’t display the legal entity, as the identity of the website owner is not checked while issuing them. So, if you have an e-commerce website or a site that collects users’ personal data, you should consider buying our Business Validation (BV) or Extended Validation (EV) certificates, which will make your site more trustworthy.

Copy Link

What is a Fully Qualified Domain Name?

A fully qualified domain name (FQDN), sometimes also referred to as an ‘Absolute Domain Name’, the ‘Domain Name’, or ‘Common Name’ is a domain name that specifies its exact location in the tree hierarchy of the Domain Name System (DNS).

You must specify the FQDN when filling in the Certificate Signing Request form. For example, if you wish to secure the https://yoursite.com/about.html, the ‘Domain Name’ or ‘Common Name’ is Yoursite.com.

As you can see, the FQDN doesn’t include the protocol name (https://) nor the subpages or subcategories (about.html).

Please note, when requesting a Wildcard SSL certificate, you must add an asterisk before your Domain Name. For instance, *.yourdomain.com.

Source: Sectigo’s Knowledge Base

Copy Link

Sectigo Removes the WHOIS-based email addresses for DCV

As of June 16, 2021, Sectigo no longer accepts WHOIS-based email addresses for Domain Control Validation (DCV) when the WHOIS requires a human lookup for domain information. Whois is a widely used Internet record listing that identifies who owns a domain and how to get in contact with them.

The change won’t affect emails that can be found on WHOIS via automated lookups. These emails will be presented to you during the certificate request process, or via the ‘GetDCVEmailAddressList’ API. The ‘constructed’ email addresses will still be available.

If the email address you need is not displayed or offered during the DCV process, you will need to use one of the alternative methods for the Domain Control Validation below:

  • A pre-determined email address such as-admin@, administrator@, hostmaster@,postmaster@, webmaster@
  • HTTP(s) or DNS based Domain Control Validation

Source: Sectigo’s Knowledge Base

Copy Link

What are the benefits of each validation type (DV vs BV vs EV)?

If you are still wondering what are the main benefits of each validation type (Domain Validation (DV), Business Validation (BV), and Extended Validation (EV)) and why you should choose one vs. another, then this is the right FAQ for you. Each of these SSL Certificate types was created having in mind a certain customer trust level:

  • BasicDomain Validation SSL Certificates – created for customers who aren’t interested in showing their company name and address in the SSL Certificate – either because they don’t need/want to or simply because they just don’t have a company. They only need to get the SSL Certificate very quickly in order to secure their domain name with HTTPS and have all web and mobile browsers display their website as “Secure”.
  • MediumBusiness Validation SSL Certificates – designed for clients who want to display their company’s name in their SSL Certificate’s details in order to ensure their customers that their business is real and trustworthy. BV SSL Certificates also allows you to display on your website a site seal provided by the third party Certificate Authority which proves that your SSL Certificate was issued to your company’s name and address.
  • Top Extended Validation SSL Certificates   developed for clients for whom users’ trust is highly important. EV SSL Certificates also provide the site seal which proves that your SSL Certificate was issued to your website, company’s name and address but these certificates have the topmost trust level because they show your customers, prospectors, and visitors that your website is highly secure and that their information is always protected.

Now that you know the main differences between Domain Validation (DV), Business Validation (BV), and Extended Validation (EV) SSL Certificates, it should be much easier for you choose the one that fits you the best.

Copy Link

How to check what type of validation my SSL Certificate requires?

bv2bv1You can check whether your SSL Certificate requires Domain Validation, Business Validation or Extended Validation by looking at the attributes of your SSL Certificate. Please open the two screenshots on the right in order to see where you can find the information about the validation type of your SSL Certificate.

 

Copy Link