How do I complete Domain Control Validation (DCV)?

Before the Certificate Authority (CA) can issue SSL to anyone they need to verify that the organization or individual has the right to receive the SSL certificate to avoid cases when the SSL is issued to intruders who impersonate real websites for their cyber attacks. The person requesting the SSL should have admin access to the domain. The organization should legally and physically exist for business validated certificates.

To confirm you have admin access to the domain submitted in the SSL activation request, you have three options:

Email Validation — receive an email at a domain-based or whois email.

HTTP Validation — upload the validation file at your host.

DNS Validation — set up a CNAME record in the domain’s DNS zone.

Email Validation

Certificate Authority will send you an email to a domain-based or whois email address. You will need to copy the validation code, open the link inside that email, and paste the validation there to complete the DCV process. As soon as you do that, the Certificate Authority will issue SSL for you if it doesn’t require business validation.

Choose approval email

During the activation process, select “Receive an email” as the domain control validation method. It can’t be any email, but either your contact email address from WHOIS or one of the following generic domain-based emails:

• admin@

• administrator@

• postmaster@

• webmaster@

• hostmaster@

WHOIS email can often be hidden with WHOIS guard alias for privacy reasons. It can look like something@whoisgaurd.com or any other something@whoisguardprotection_service.com. To check what your WHOIS email is, please refer to your domain control panel or check with domain registrar support.

What if I did not receive the validation email?

  1. Check your Spam and Junk folders.
  2. Make sure that your email address is accessible. For example, you can send a test email to the selected address from your personal email.
  3. Resend the approval email.

What if I selected an email that doesn’t exist?

Domain-based emails may not exist by default. If you don’t know how to access the email, most probably it does not exist and you should create it. Please contact your webmaster or hosting provider for assistance with that.

If you activated your SSL and realized that the selected approval email does not exist, you have 2 options:

  1. Create the selected email address and then resend the approval email.
  2. Change the validation method using Status Checker.

HTTP

This type of DCV validation needs you to upload the validation file to your domain’s directory. Select “Upload a file” on the last step of SSL activation to enable this option.

Once the Certificate Authority locates the file they will know you have access to the domain submitted in the SSL request. In case of a DV certificate, the CA will issue SSL for you right away after the DCV is passed.

The Certificate Authority checks for the file once per a certain amount of time. They will check the file in 1 minute after the request was submitted, then in 2 minutes after that, then in 4 minutes and so on until the file is checked just once in 24 hours. So the file is checked for 5 times within the first 15 minutes after the activation.

How do I get the validation file?

To find the validation file, follow these steps:

1. Activate your SSL selecting “Upload a file” as the DCV method.

2. Once you complete all steps of the activation flow you will end up on the SSL details page that contains instructions and the option to download the validation text file.

Important: Do not alter the content of the file or rename it.

Alternatively, you can go directly to “My SSL” dashboard, click the “Details” button next to the SSL in “Pending” status with the domain that needs a DCV check. This will get you to the SSL details page with instructions and the DCV file.

Where to upload the file?

Place the validation file into this location: <DOCUMENT_ROOT>/.well-known/pki-validation/

<DOCUMENT_ROOT> stands for your website name.

Full real-life URL will look like this:

http://your_site.com/.well-known/pki-validation/validation_file.txt

Where your_site.com — your actual website address and validation_file.txt — the name of the .txt file you’ve downloaded from the SSL details page in your account. It doesn’t matter whether you activated SSL for your_site.com or www.your_site.com, the validation URL will always be the same.

SSL activated for subdomain can be validated both via 

http://your_site.com/.well-known/pki-validation/validation_file.txt

and

http://subdomain.your_site.com/.well-known/pki-validation/validation_file.txt

The validation path is not available by default if it’s your first time using HTTP validation, so you need to create both “.well-known” and “pki-validation” folders inside your document root.

Tip: On Windows-based servers, add another dot at the end of the folder name (‘.well-known.’). Otherwise, the server won’t allow you to save it with the name that has a dot at the beginning.

Make sure that the file is publicly accessible so that the Certificate Authority can access it.

How do I check that the file is publicly accessible?

Replace “your_site.com” part with the actual website address and validation_file.txt with the file name of the validation file you’ve downloaded from the SSL details in your account in this link and open it in browser:

http://your_site.com/.well-known/pki-validation/validation_file.txt

If you see the txt file content, everything was done properly. If you get an error, please contact your hosting support team.

Switch the validation method to HTTPS in “Status checker“, If you don’t see your file via HTTP link but you can see it via HTTPS link: https://your_site.com/.well-known/pki-validation/validation_file.txt

DNS

DNS validation is not available as the DCV method during SSL activation. If you wish to validate your domain through DNS method, you should complete the SSL activation selecting any available DCV method.

To complete DCV through DNS, you’ll need to create a CNAME record in the DNS settings of your domain.

How to get the CNAME record?

Go to your order settings in the “Status checker”.

Switch the DCV method for your SSL to “CNAME CSR Hash”.

Find the CNAME details you’ll need for DNS validation. Inside the Status Checker, click on the “Change Method” button, and click “Show Alternative DCV Information”. 

You will see 3 tabs: “CSR Hashes”, “HTTP Hashes”, and “CNAME CSR Hash”. Open the “CNAME CSR Hash” tab.

You will see CNAME record details required to complete the DNS-based validation. The first one refers to the ‘Host/NAME’ value, the second one refers to the ‘Target/CNAME’ value:

To create a record, you will need to use the character set in front of your domain name (including underscore) as the ‘‘Host/NAME’ value, and 2 lines of characters with the comodoca.com domain name in the end as the ‘Target/CNAME’ value.

Example: The final version of the values you should paste to your CNAME record will look like this:

Host (NAME): _0582HJJS84Y4734639405.

Target (CNAME): 3894FHFHIKS84937955JDLSO938.479HDIHNFOED8.ckedjlojrk7495hdkd.comodoca.com

How to set up the CNAME record?

Go to the DNS settings of your domain name. They are usually managed by your domain registrar or hosting provider.

Set up the CNAME record using the CNAME details you got from the Sectigo Status Checker.

How to check that the CNAME record is accessible?

Verify that the record has been set up properly at https://toolbox.googleapps.com/apps/dig/#CNAME/.

Enter the full CNAME hostname including the domain name (i.e. _c7fbc2039e400c8ef74129ec7db1842c.your_site.com).

Click on ‘CNAME’;

You should see a set of characters you used as the ‘Target’ value for CNAME (i.e. BDAA7CB9FF2613D28282F699615242B0.59ED3C5E1F557FFB5DFB507A364CCD0D.comodoca.com)

What should I do after setting up the file or CNAME record?

You can trigger a DCV check by using the ‘Change and Resend/Retry’ option in the “Status Checker” once the record is in place.

We suggest waiting for up to 10 minutes for your SSL status to be updated in your SSLs.com account. Once issued, your SSL will be also sent to the admin email address you specified during the activation process.

If you experience any issues or need help, feel free to contact us via Live Chat or by submitting a ticket.