Domain Control Validation

To have any SSL Certificate issued, domain control validation must be completed. This involves proving that whoever ordered the SSL certificate either owns the domain or has permission by the owner to receive the SSL Certificate and act on their behalf.

How do I complete Domain Control Validation?

There are three types of domain control validation; Approver E-Mail, DNS CNAME Validation, and HTTP File Validation.

The default option is Approver E-Mail which is often the simplest of the three options. However, if you have access to the web server, DNS CNAME Validation and HTTP File Validation can be quick and efficient validation methods.

Approver E-Mail Method

You must prove that you have control of the domain(s) being validated. With this method, an E-Mail will be sent for every different root domain listed on the SSL Certificate. Each E-Mail must be directly associated with the domain it is validating.

There are strict industry standards that must be followed when selecting the E-Mail address an Approver E-Mail can be sent to:

These are the following five generic domain aliases;

admin@yourdomain.com
administrator@yourdomain.com
hostmaster@yourdomain.com
postmaster@yourdomain.com
webmaster@yourdomain.com

Or an email address listed in your domain’s registration details and found when performing a WHOIS search.

If you wish to use a different email address to those listed above, you will need to update your domain’s registration details and make sure the contact details are publicly available. You can do this by logging into your account with your domain registrar and updating the E-Mail addresses.

If the WHOIS email is not available while ordering, select any address for now and then contact us once you finish placing the order and have made payment so that it can be changed manually.

Once you have received your Approver E-Mail, inside will be a code and a link. Please copy the code and follow the link. You will be provided with a text box, enter the code and click ‘validate’. You will be notified if Domain Control Validation has been successful.

If you receive an error stating, ‘This activation code has expired’, please make sure you are completing the most recent Approver E-Mail you have received, be sure to check your spam folder. Otherwise please contact us so we can provide further support.

DNS CNAME Method

This option requires access to the web server where the website you are securing is hosted. If you wish to use this option and do not have access, you will need to contact your web hosting provider.

Upon placing your order and payment being made, if this option was selected, you will receive an E-Mail to your account admin address. It will contain a CNAME Record Name and CNAME Record Value to add to your server’s DNS records.

Alternatively, you can contact us and we will be happy to provide you with the CNAME Record.  

While you need only add the DNS CNAME Record as stated, see below for greater detail about DNS CNAME Record validation.

Two hashes of the CSR are generated before submission to the Certificate Authority. A CNAME DNS record is created under the FQDN being secured.

The format of the CNAME will be:

‘_’<MD5 hash>.’FQDN‘.’CNAME’

<SHA-256 hash>.[<uniqueValue>.]’comodoca.com’

*Note the leading underscore at the start of the MD5 hash.

*The unique value is only applied if a CSR is being reused. We always recommend using a new CSR.

For example: A CSR is generated with the Common Name ‘www.trustico.com’. The CSR is created using both the MD5 and SHA-256 hashing algorithms.

MD5: c7fbc2039e400c8ef74129ec7db1842c
SHA-256: c9c863405fe7675a3988b97664ea6baf442019e4e52fa335f406f7c5f26cf14f
Unique Value: Null

To perform DNS CNAME based validation, the following DNS CNAME record must be created on the web server upon submitting the order:

Name: _c7fbc2039e400c8ef74129ec7db1842c.trustico.com.CNAME

Value: c9c863405fe7675a3988b97664ea6baf.442019e4e52fa335f406f7c5f26cf14f.comodoca.com

*Note that the root domain of the FQDN was used.

Then the request is submitted to the Certificate Authority, the presence of this CNAME DNS Record is checked, and if found, domain control is proven.

*Note that Multidomain and UCC SSL Certificates require each FQDN to be validated.

HTTP File Based Method

This option requires access to the web server where the website you are securing is hosted. If you wish to use this option and do not have access, you will need to contact your web hosting provider.

Upon placing your order and payment being made, if this option was selected, you will receive an E-Mail to your account admin address. It will contain a HTTP File to add to your server’s FTP.

Alternatively, you can contact us and we will be happy to provide you with the HTTP file and directory name to add it to. 

While you need only add the HTTP File as stated, see below for greater detail about HTTP File validation.

Two hashes of the CSR are generated before submission to the Certificate Authority. A plain text file is created on the HTTP/S server of the Domain Name, with one hash as the filename, and one hash within the text file itself.

For example: A CSR is generated with the Common Name ‘www.trustico.com’. The CSR is hashed using both the MD5 and SHA-256 hashing algorithms.

A text file is created, containing the SHA-256 hash and the domain ‘comodoca.com’ on the next line.

c9c863405fe7675a3988b97664ea6baf442019e4e52fa335f406f7c5f26cf14f comodoca.com

The file is then named in the format: <MD5 hash>.txt and placed in the /.well-known/pki-validation directory of the HTTP server, like so:

http://trustico.com/.well-known/pki-validation/C7FBC2039E400C8EF74129EC7DB1842C.txt

Once the order is received by the Certificate Authority and HTTP based DCV is specified, the CA system checks for the presence of the text file and its content. If the file is found and the hash values match, domain control is proven.

*Note that Multidomain and UCC SSL Certificates require each FQDN to be validated.

Updated on September 13, 2019

Was this article helpful?

Related Articles