When requesting an SSL Certificate you have to prove that you own or you have management rights over the domain or sub-domain that you are requesting an SSL Certificate for.
Important! As of June 16, 2021, Sectigo no longer accepts WHOIS-based email addresses for Domain Control Validation (DCV).
STEP 1: Domain Validation (DV)
If you have an SSL Certificate issued by Sectigo, GoGetSSL, GeoTrust, Thawte, DigiCert, and RapidSSL, then you can complete the domain validation is by responding to an automated domain validation message sent to your email address. You will be given a list of emails to choose from, and the automated domain validation message will be sent to the email address that you choose.
Always check your email address (including your Spam folder) so as you should receive an email message from the Certificate Authority with instructions on how to validate (prove the ownership of) your domain name. The email message will ask you to copy a unique code and paste it on a specific link provided in the same email message.
Important: Only 5 e-mail addresses are allowed for domain validation: [email protected], [email protected], [email protected], [email protected], and [email protected]
In some cases, the Certificate Authority may allow your administrative e-mail from WHOIS, too, but ONLY IF the Private registration is disabled.
B. HTTP / HTTPS method
The HTTP validation consists of uploading a TXT validation file to a pre-defined location on your website. You have to make sure that you can access this file and link from any web browser. Once you proceed with this domain validation method, the CA will run a scan of your website and will look particularly for this file at the given link. Your SSL Certificate will pass the domain validation within a few minutes after the CA’s crawler system finds the TXT file on your website.
The HTTPS validation method is the same validation method as described above. You should choose the HTTPS option if you already have an SSL Certificate installed on your website.
C. DNS method
You can also add a pre-defined domain record to your domain registrar (the website where you registered your domain name). Make sure that your firewall doesn’t block the CA’s validation robot.
Sectigo and GoGetSSL require CNAME DNS type, which looks like:
while DigiCert (Thawte, GeoTrust, RapidSSL) require TXT DNS type, which looks like:
yourwebsite.com TXT “w34f54t4t45t354eer98rn4jf4449nfrf”
dnsauth.yourwebsite.com TXT “w34f54t4t45t354eer98rn4jf4449nfrf”
Please note that newly added DNS records take between 10-48 minutes to propagate. This means that you will have to wait up to 48 hours to pass the domain validation if you go with this method. That is why we recommend the Email, HTTP, and HTTPS methods better because they would allow you to pass the domain validation instantly.
STEP 2: CAA Check
As of 8th September 2017, all Certificate Authorities (CAs) are obliged to respect your CAA policy, as a security measure.
The CAA record should allow the CA to issue the SSL for your domain name, otherwise, the order would be set as Pending until you update the record.
By default, if no CAA record found, any CA may issue SSL for your domain name. Otherwise, you should update your CAA record.
In some cases, the CAs may require manual verification if your order fails any internal rules of Brand Validation.
It takes around 24-48 hours to pass this manual check, and the CA will either issue or reject an order in such cases.
Here are the reasons why your order is under Brand Validation.
How to change the domain validation method?
If you chose one of these domain validation methods described above, and you see that your domain doesn’t get validated, then you can always change your domain validation method. Please go to this link to learn how to do that.