Domain Validation FAQs

What is Domain Control Validation (DCV) / Domain Validation (DV)? Why is it necessary?

DCV or DV is the method by which the Certifying Authority (CA) verifies that you are authorised to request a certificate for that hostname by the domain owner. The DCV/DV check is compulsorily done by the CA for every new certificate purchase/request, certificate re-issue request, or certificate renewal request.

You are asked to select the DCV option when you fill the certificate enrollment form (Step 2).
getssl dcv options

The DCV/DV validation can be done in any ONE of the following ways:

  1. Email with verification link to the domain owner from Email Approver list
  2. Adding a custom DNS entry (CNAME or TXT based on the certificate)
  3. Upload a custom file to a website folder

 

If I place an order for a Domain Validated SSL Certificate, which document(s) do I need to provide?

You do not need to provide any documentation in order to purchase a Domain Validated (DV) certificate. All you will need to do is confirm that you own the domain you wish to cover, either through a simple email or file or DNS-based validation.

If your website uses Privacy Protection services for your domain name, we recommend you do NOT use Email-based validation as it will delay the domain validation and certificate issue process.

 

I chose Email-based Domain Control Validation but I haven’t received my DCV email yet. What should I do?

There are a few actions you may take in this case:

  • First, verify which email address you have chosen for the Domain Control Validation email. This may be different from the customer contact email information you provide during the generation process. Check if the email is listed in the Email Approver list for your domain.
  • Make sure to check the Spam or Junk Mail folder of your email provider.

If you need to change your DCV email, or if your website’s domain name uses Domain/WHOIS Privacy Protection services to hide your email address, you can use any ONE of the five following pre-approved alias email if they already exist for your domain name:

admin@yourdomain.com
administrator@yourdomain.com
hostmaster@yourdomain.com
postmaster@yourdomain.com
webmaster@yourdomain.com

Changes after 25th May 2018 due to GDPR
Some domain registrars such as GoDaddy have restricted access to their domain WHOIS contact info. Due to this, domains registered with these domain registrars can only use one of the five standard approver email addresses listed above for email-based DCV. see: GDPR impact on domain WHOIS info

To use one of the above email addresses instead of the one you selected during Certificate Enrollment (Step 2), you can visit your Order Details page where you can set the required email address as approver. If the email address does not exist, make sure you create it before changing the email approver.

 

How do I create the .well-known folder required for File-based Validation?

When following CA’s instructions to validate domain ownership for SSL issuance using file-based Domain Validation, you are asked to create a file and put it on a URL path in your server.

The path you will have to use is this:
http://www.urdomain.com/.well-known/pki-validation/filename.txt

IIS/Windows

You cannot directly create a folder in Windows called .well-known, so you have to follow this process:

  1. Create the file as instructed by the CA and save it to any folder on the web
    server (lets say C:\Folder\well-known\pki-validation).
  2. Open IIS manager, right-click on your site and select “Add Virtual
    Directory…
  3. For the Alias field, enter .well-known and for the physical path, enter the
    path to your ‘well-known’ folder (in our example: C:\Folder\well-known).
  4. Click OK.
  5. To test file availability, browse to the file on your website at http://www.urdomain.com/.well-known/pkivalidation/
    filename.txt and it should load.
    We provide a direct method of checking this on your certificate’s Order Details page with a linked icon.

If you get a HTTP 401 error:

  1. In IIS manager, left-click and select your site.
  2. In the middle pane, look for the IIS section and open the Authentication icon.
  3. In the changed middle area, now select Windows Authentication, and then click Providers from the Action pane on the right.
  4. Ensure that NTLM is at the top of the list.

cPanel

cPanel offers a web browser-based way to create the .well-known folder/directory:

  1. Click on “File Manager
  2. Choose the “Web Root (public_html/www)” option and click “Go.”
  3. Create a new folder called “.well-known”.
  4. Within that folder create another folder called “pki-validation”.
  5. Upload your filename.txt file inside the pki-validation folder.
  6. Test the file’s public availability using your web browser.
    We provide a direct method of checking this on your certificate’s Order Details page with a linked icon.

Linux based servers (Ubuntu, Debian, CentOS) using SSH

Creating the .well-known folder/directory in Linux is very straightforward:

  1. Connect to the web server using your SSH client and SSH access credentials.
  2. Change to the root directory of your website using the cd command.
  3. Create a directory called .well-known using the “mkdir .well-known” command.
  4. Change to the just created .well-known directory using the “cd .well-known” command.
  5. Inside it, create another folder called pki-validation using the “mkdir pki-validation” command.
  6. Create/Upload the filename.txt file inside the pki-validation directory.
  7. Test the file’s public availability using your web browser.
    We provide a direct method of checking this on your certificate’s Order Details page with a linked icon.

 

My File Authentication/Validation file has been uploaded. What else should I do to avoid any issue/delay?

  1. Ensure that there is no redirection to a different page by your website when you browse to the validation file in your web browser. The text file and correct content should be visible when you browse to the specified path.
  2. If you have requested a certificate for a sub-domain of your website, to make sure the authorization is successful ensure the file is publicly viewable in the correct directory on both yourdomain.com and subdomain.yourdomain.com.

 

How do I complete DNS-based Domain Validation?

When you select DNS-based validation you will be asked to add a CNAME or TXT record with the specified name and value.

Since every domain registrar service has a different domain management interface here are some generic instructions:

  1. Login to your domain registrar’s control panel.
  2. Proceed to the Manage DNS section in the panel.
  3. Add the CNAME or TXT record with the specified name and value.
    Ensure TTL value for the record is as low as possible.
    A typical TTL value of 3600 means your record will only update after one hour (3600 seconds).
  4. Ensure the DNS record has publicly propagated globally using this service.
    We provide a direct method of checking this on your certificate’s Order Details page with a linked icon.

If your DNS record has not propagated successfully, check if you have mistakenly added the record in the wrong place:

  1. If you have bought your domain name from a a domain registrar and are hosting it with a different web hosting service, you may be using the web hosting service’s NS (nameserver). In such a case you will need to add the DNS record in your web hosting control panel.
  2. If you use a CDN’s NS then you need to add the DNS record in your CDN’s control panel.

 

How long will domain validation take?

This largely depends on the type of certificate that you purchased and your response times. No matter which type of certificate that you purchase, the Certificate Authority (CA) will be contacting you directly and will only proceed with next steps upon your response. For Domain Validated (DV) certificates, these can typically be issued in a matter of minutes to one business day.

  • Email-based DCV is completed as soon as you click the link and enter the verification code from the CA’s email. This is the easiest method.
  • DNS-based DCV is completed when the CA detects the correct DNS entry (CNAME or TXT as the case may be) after it has propagated globally and depending on the TTL value could take from 5 minutes to 4 hours in rare cases. Delays can be caused by adding record in the wrong control panel or using a high TTL value for the record.
  • File-based DCV is completed when the CA detects the correct file, with correct text content, at the correct location, and could take from a few minutes upto 4 hours. Delays can be caused by website’s redirection, incorrect file content/location, or File validation queue/problems at CA’s issuing server.

Selected orders may be flagged for an additional Brand Validation procedure by the CA. That means that the CA’s managers will review your order as it requires manual check.

Possible reasons for manual review:

  • Some countries may be reviewed manually, for example: South Korea, North Korea, Sudan, Afghanistan and some others.
  • Your domain name include popular Brand name, for example: facebook-app.com, sony-shop.net and others.
  • Your domain name has similar brand name, for example you have domain name “sibmama.com”, but validation system may flag your order as “sIBMama”, so “IBM” brand was found in your name, so managers must check order manually.
  • Your domain name has special words: “pay, online, secure, booking, shop, bank, transfer, money, e-payment, payment, protection and others”, in that case validation also will be manual.

In most cases after the manual review the hold on order processing is removed. Manual review may take up to 24-48 business hours.

 

I completed the validation requirements, but never received the certificate. What should I do?

Possible issues you can check before contacting us are:

  • For File-based DCV, there may be extra space(s) in the text file content, or a firewall setting may be blocking http/https requests from CA server IPs since they are located outside the country.
  • For DNS-based DCV, the DNS record may not have been correctly created, or may need more time to propagate globally depending on the initial TTL value. Use the lowest possible TTL value for quickest validation.

After completing validation, the Certificate Authority (CA) will send the certificate to the email address that was used for Domain Control Validation.

If, for whatever reason, the email address does not receive the email, you can also download the files from the Order Details page on our website.

If you have difficulty locating the email with the Order Details page link after checking your Spam & Junk Mail folders, please submit a ticket so we can resolve your case.

 

Can I use the email address listed in the domain WHOIS info to complete Domain Control Validation (DCV)?

Yes, you can do this for all Comodo SSL Certificates listed on our website if your domain’s domain registrar shares this info publicly. For RapidSSL, Thawte and GeoTrust certificates you need to use one of the 5 pre-approved email addresses. To know which email addresses are authorised to be DCV Approvers for your domain use this free DCV Email Approver Check tool.

 

Can I switch my method of Domain Control Validation from Email to File, or vice versa?

You can switch your method of Domain Control Validation by using the Reset Order button on your Order Details page. Thereafter you can choose one of the other DCV methods for validation. This option is only available for the first 15 days after placing your order.