Web Analytics

What Are The Requirements for SSL.com SSL/TLS Certificate Domain Validation?

Domain Control Validation (aka DV or Domain Validation) Overview

In order to establish ownership or authorization to acquire an SSL Certificate for a specific domain, proof of control over the domain must be established.

Domain Control Validation (DCV) can be established by the following methods:

All SSL/TLS certificates, including DV (Domain Validated), OV (Organization Validated), and EV (Extended Validation) Certificates require one of these validation methods to be performed successfully before issuance. 

Beginning December 1, 2021, Wildcard Certificates can no longer be validated using http/https file upload.

For UCC (also known as SAN or Subject Alternative Name) SSL/TLS certificates, domain validation must be performed on each domain included, using any method listed above (or a combination of these methods).

If trying to validate a static IP address, temporarily redirect the IP address to simple webserver with http/https file upload.

If trying to validate a domain that doesn’t respond publicly, temporarily redirect to one that does with http/http file upload or use cname validation.

You can read more about SSL.com’s validation requirements here.

Email Challenge Response

Upon order placement, an email is sent to an authorized email address selected during the order process. Contained within this email is a link the the recipient of the email can follow and enter in a validation code found in the email. Once this process is completed, domain control has been established.

The accepted list of email addresses for a domain that SSL.com is authorized to send the DCV email to is as follows:

  • webmaster@
  • hostmaster@
  • postmaster@
  • administrator@
  • admin@
  • Domain contacts (domain name registrant, technical contact, or administrative contact) listed in the base domain’s WHOIS record.

File lookup over HTTP/HTTPS

This method requires placing a file on the website that is to be protected.

The file is created from taking two hashes of the Certificate Signing Request (CSR) and uploading a text file with that information to a specific location on the server. The file has the MD5 hash for a name with the SHA-256 hash as the first line of the contents of the file. The next line of the file has the term “ssl.com”, while the last line of the file has a unique token.  All actual hash and random values will be presented to you via the user portal.

For instance, for a new CSR is created for the domain name www.yoursite.tld, where the MD5 hash of the CSR is:

8593532A8FA01E6CEBB0B7E85E510D0F

the SHA-256 hash for the CSR is:

c9c863405fe7675a3988b97664ea6baf442019e4e52fa335f406f7c5f26cf14f

and the unique token for the order is:

10TmfZdb9tj

Then the DCV file would be named 8593532A8FA01E6CEBB0B7E85E510D0F.txt and would have the contents:

c9c863405fe7675a3988b97664ea6baf442019e4e52fa335f406f7c5f26cf14f
ssl.com
10TmfZdb9tj

The file must be accessible at via HTTP on port 80, or via HTTPS on port 443. SSL.com will check for the existence of this file to satisfy domain control validation. The file cannot be altered in any way or reached via redirection or other .htaccess directives. The file must be placed in the .well-known/pki-validation/ folder on your domain. You will need to create this folder.

In this example, the DCV file should be placed here:

http://www.yoursite.tld/.well-known/pki-validation/8593532A8FA01E6CEBB0B7E85E510D0F.txt

After an order is successfully placed, SSL.com’s automated server will start looking for this file at the above location. When it is able to see the file, domain control validation will be satisfied.

To download the DCV file, first click the Perform Validation link, located in the Action column of the Orders tab to open the Domain Validation page.

perform validation

The file is downloadable under validation hashes.

Validation hash file

DNS CNAME lookup for domain

This method requires you to create a CNAME entry in your domain’s DNS record that is pointed at ssl.com (and in some cases comodoca for Comodo chained certificates). An MD5 hash as well as a SHA-256 hash of the CSR are required for this CNAME entry, plus a unique token.

Note: DNS propagation usually takes a few hours but may take up to 48 hours. Therefore, the DNS CNAME validation method may take more time than the email and HTTP methods.

All of these values are available from the Domain Validation page in your user portal. First, click the Perform Validation link, located in the Action column of the Orders tab to open the Domain Validation page.

perform validation

All of the information needed to create the CNAME entry is available under validation hashes.

The CNAME entry should follow this formula:

_<MD5 hash>.<domain> <TTL> IN CNAME <SHA-256 hash>.<unique token>.ssl.com

Please notice the underscore at the beginning of the entry, which is required. Additionally, because the SHA-256 hash is 64 characters long, it will need to be split into two 32-character subdomains. Therefore, the completed DNS record will look like this:

_517835F790CD5BFD248CBD1A9CD54579.yoursite.tld.
14400 IN CNAME
911b64b097e8e42d4179eb2b27452b4.abaaeb0073f872979666894dbce871cb.f08916997c.ssl.com
The default status of the pre-test is “FAILED”. Don’t Panic.

All actual hash and random values will be presented to you via the user portal.

Thank you for choosing SSL.com! If you have any questions, please contact us by email at Support@SSL.com, call 1-877-SSL-SECURE, or just click the chat link at the bottom right of this page.

Subscribe to SSL.com’s Newsletter

Don’t miss new articles and updates from SSL.com

Stay Informed and Secure

SSL.com is a global leader in cybersecurity, PKI and digital certificates. Sign up to receive the latest industry news, tips, and product announcements from SSL.com and stay informed of the latest changes about digital identity and encryption that can impact and enhance your life.

We’d love your feedback

Take our survey and let us know your thoughts on your recent purchase.