• Sectigo Alternative Domain Validation methods

    Domain Validation SSL certificates are the most quickly issued products we have. In most cases, it takes just 5 minutes to issue SSL once domain verification passed. No paperwork requires, all you need is to pass Domain Validation Control (DCV) via one of the available methods. You can check CAB Forum Reference for more details.
    SSL Validation
        • A

          Authorization Domain Name

          For each FQDN, the “Authorization Domain Name” is the domain name that you use to do the DCV.

          • If the FQDN to be included in the certificate is internal.example.tld, the Authorization Domain Name could be either internal.example.tld or example.tld;
          • If you request a certificate for the 2 domains (www.example.tld, example.tld), an Authorization Domain Name of example.tld may be used to do a single validation that will validate both FQDNs, whereas an Authorization Domain Name of www.example.tld may not;
          • An Authorization Domain Name cannot be a registry controlled name and cannot be a public suffix. That means that ‘co.uk’ or ‘com’ can’t be Authorization Domain Names, and (e.g.) ‘pvt.k12.ma.us’ can’t be an Authorization Domain Name because it is a public suffix;
          • The Authorization Domain Name never contains a wildcard ('*') character so even if the FQDN contains a wildcard character, the Authorization Domain Name will not. E.g. If the FQDN to be included in the certificate is *.service.example.tld, the Authorization Domain Name could be either example.tld or service.example.tld
        • E

          Validation via E-mail

          An email is sent to that address, containing a unique validation code. The email should be received by someone in control of the domain, where they can follow a link provided in the email and enter the validation code, thus proving domain control.

          The unique validation code is only valid for 30 days. I.e. any attempt to use the unique validation code more than 30 days after it was created will fail. The list of acceptable email addresses for any given domain are:

          • admin@
          • administrator@
          • hostmaster@
          • postmaster@
          • webmaster@
          • WHOIS email. Any Admin, Registrant, Tech or Zone contact email address that appears on the domain’s WHOIS record, and is VISIBLE to Sectigo CA system.
        • H

          Validation via HTTP/HTTPS

          HTTP based DCV requires that a HTTP server be running on port 80 or that an HTTPS server be running on port 443 of the Authorization Domain Name. Sectigo looks for the file at every valid Authorization Domain, i.e. starts with the FQDN and then will strip one or more labels from left to right in the FQDN and will look for the file on each intermediate domain.

          You will receive the validation file in the (.txt) text file. A text file is created, containing the SHA-256 hash, the Request Tokens/Unique value and the domain ‘sectigo.com’ on the next line.

          For example: A CSR is generated with the CN=www.example.tld The Authorization Domain Name will be example.tld The CSR is hashed using both the MD5 and SHA-256 hashing algorithms.

          File / URL example

          The file name format is: .txt and placed in the /.well-known/pki-validation directory of the HTTP server, like so:

          http://example.com/.well-known/pki-validation/C7FBC2039E400C8EF74129EC7DB1842C.txt
          {TEXT FILE CONTENT}
c9c863405fe7675a3988b97664ea6baf442019e4e52fa335f406f7c5f26cf14f
sectigo.com
123456789

          The Sectigo CA system checks for the presence of the text file and its content. If the file is found and the hash values match, domain control is proven.

        • C

          Validation via DNS CNAME

          DNS CNAME based DCV requires the creation of a unique CNAME record, pointed back to Sectigo CA. Sectigo looks for the CNAME at every valid Authorization Domain, i.e. starts with the FQDN and then strip one or more labels from left to right in the FQDN and will look for the CNAME on each intermediate domain.

          For a certificate request for an FQDN of *.mail.internal.example.tld, Sectigo would looks for the CNAME in these places and in this order: mail.internal.example.tld internal.example.tld example.tld The Authorization Domain Name is the one we find it on.

          A CNAME DNS record is created under the Authorization Domain Name. The content of the CNAME is described in more details below. Two hashes of the CSR are generated before submission to Sectigo CA.

          The format of the CNAME will be:
‘_’ .Authorization Domain Name CNAME
example _CC5412BF14B25A69F0D3A571C2426767.example.tld.

.[.]sectigo.com
example 72B21EEE5B37D7913084.61F4BB041A1845F87DC8.sectigo.com.

          Hints!

          • Note: The “_” is always included and the “.” after the “.tld” also should be included but depending on the web hosting company it may not be required;
          • When copy-pasting the hashes make sure there is “NO SPACES” caught;

          When creating the DNS CNAME record over at your web-hosting company, there will 3 entries:

          • The “Hostname” which correlates to the first hash [MD5] “_.HASH_DOMAIN.TLD.”
          • The “Alias to or directed to” which correlates to the second hash [Sha256] “.[.]sectigo.com”
          • The Time to live [TTL], which you need to leave at the default value set by the web-hosting company.
    Latest Wiki Posts
    Categories