Domain Validation Process to Issue SSL/TLS Certificates

Currently, Email, DNS and HTTP Methods are Supported for Domain Validation:

Email Validation

Due to major vulnerabilities found in the WHOIS protocol, CA/Browser Forum adopted WHOIS DCV End-of-Life. Means all publicly trusted CAs No longer allow certificates to be issued based on a WHOIS email address validation. Domains must be re-validated using an accepted, non-WHOIS method. Hence, CA like DigiCert and Sectigo announced that customers using WHOIS-based DCV methods should migrate to alternative DCV methods ASAP.

However, if you are still using Email Based Validation, you can still use Constructed email address method using ‘constructed' email addresses - admin@, administrator@, hostmaster@, postmaster@ and webmaster@ yourdomain.com.

Recommendation: Among all these supported methods, DNS-based domain validation is highly recommended by CAs for quick validation and issuance.

File Based Authentication (HTTP/HTTPS File Verification)

If email-based authentication fails to work, then you can try file-based authentication. Generally, CAs like Sectigo (Formerly Known as Comodo) and DigiCert provide you with a text file. Likewise, you'll require to upload that text file within your root directory, and CA will verify it.

Follow the below structure of the file path for each domain on your order (including www and non-www domains):

Your-domain.com/.well-known/pki-validation/[unique-file-name].txt

Certificate Authority will visit the specified URL to confirm the presence of our random value and verify your control over the domain.

DNS-based Validation

This method requires the certificate applicant to create a specific Domain Name System (DNS) TXT record or CNAME Record in the domain's DNS zone file with content and information specified by the CA (Sectigo or DigiCert). Based on CA, the process is difference. For Instance,

If you have a Sectigo (formerly Comodo) Certificate, then follow below steps:

• Log into your domain’s hosting Control Panel.
• Locate and select the DNS Zone Manager for your desired domain.
• Select the option to create a new CNAME Record.
• In the Host Name or Alias field, place the first unique value (MD5 hash) for your order shown in your order detail page. This value must begin with the special character “_”.
• In the CNAME / Points To field, place the second unique value (SHA-256 hash) for your order as shown in your order detail page. This value must end with “sectigo.com”.
• Set the TTL to 3600 or the lowest possible option.
• Click Save and wait for the record to propagate ideally 10-15 minutes.

If you have a DigiCert/RapidSSL/GeoTrust/Thawte Certificate, then follow below steps:

• Log into your domain’s hosting Control Panel.
• Locate and select the DNS Zone Manager for your desired domain.
• Select the option to create a new TXT/CNAME Record.
• In the Host Name or Alias field, either leave it blank or place an @ symbol.
• In the TXT Value field, place the unique value that is displayed on your Order Details Page.
• Set the TTL to 3600 or the lowest possible option.
• Click Save and wait for the record to propagate ideally 10-15 minutes.

One you have done with the above process, the request is submitted to respected CA, the presence of the CNAME DNS record is checked, and if found or verify, domain control is proven, and CA will issue your certificate.