File-based Domain Validation

File-based Domain Validation (DV) or Domain Control Validation

File-based Domain Validation is a simple way to prove domain ownership to the Certificate Authority (CA) if completing Email DCV is not posible. The logic for using this method of proving domain ownership is that only the domain owner can upload a file to the domain’s website folder.

File-based DV for Wildcard SSL certificates has been discontinued by all CAs on 30th Nov 2021. more info

This method will not work for domain names without a website i.e. domains parked with a registrar or web hosting service*

*Other reasons for not working include:

  • Web server (firewall) settings you may have made blocking various country IP ranges.
  • Website root redirection either on purpose or due to the use of a web-based CMS/blog software.

Make sure you have FTP or File manager access to your domain’s website folders. To make sure you have this access, create a new folder on your domain’s website and try uploading a text file to the new folder.

File-based Domain Validation Options

The option to select File DCV appears when you open the Certificate Enrollment form. If you already have a certificate setup for your domain’s website select HTTPS File-based, otherwise select HTTP File-based.

When following CA’s instructions to validate domain ownership for SSL issuance using file-based Domain Validation, you are asked to create a file and put it on a URL path in your server.

The path you will have to use look like this:

http://www.yourdomain.com/.well-known/pki-validation/filename.txt

Based on the certificate you order, a sample text file name looks like:

5FB1F8C9C32DBB0C10C5C59DB1910A1A.txt OR fileauth.txt

Sample text file content looks like this:

EFB5DEC4966FC1669B844C40216EC23D9C77F1A826257847A19B9EDB1ADA1526
comodoca.com

Completing File-Based Domain Validation Platform-wise

File-Based Domain Validation on IIS/Windows

You cannot directly create a folder in Windows called .well-known, so you have to follow this process:

  1. Create the file as instructed by the CA and save it to any folder on the web server
    (lets say C:\Folder\well-known\pki-validation).
  2. Open IIS manager, right-click on your site and select “Add Virtual Directory…”
  3. For the Alias field, enter .well-known and for the physical path, enter the path to your ‘well-known’ folder (in our example: C:\Folder\well-known).
  4. Click OK.
  5. To test file availability, browse to the file on your website at http://www.yourdomain.com/.well-known/pki-validation/filename.txt and it should load.

If you get an HTTP 401 error:

  1. In IIS manager, left-click and select your site.
  2. In the middle pane, look for the IIS section and open the Authentication icon.
  3. In the changed middle area, now select Windows Authentication, and then click Providers from the Action pane on the right.
  4. Ensure that NTLM is at the top of the list.

File-Based Domain Validation on cPanel

cPanel offers a web browser-based way to create the .well-known folder/directory:

  1. Click on File Manager
  2. Choose the Web Root (public_html/www) option and click Go.
  3. Create a new folder called .well-known.
  4. Within that folder create another folder called pki-validation.
  5. Upload your filename.txt file inside the pki-validation folder.
  6. Test the file’s public availability using the web address in your web browser.

File-Based Domain Validation on Linux based servers (Ubuntu, Debian, CentOS) using SSH

Creating the .well-known folder/directory in Linux is very straightforward:

  1. Connect to the web server using your SSH client and SSH access credentials.
  2. Change to the root directory of your website using the cd command.
  3. Create a directory called .well-known using the mkdir .well-known command.
  4. Change to the just created .well-known directory using the cd .well-known command.
  5. Inside it, create another folder called pki-validation using the mkdir pki-validation command.
  6. Create/Upload the filename.txt file inside the pki-validation directory.
  7. Test the file’s public availability using your web browser.

Troubleshooting File DCV

Instructions for File-based Domain Control Validation are displayed soon after you submit the Certificate Enrollment form. If you missed them, you can see them on your Order Details page.

File-based DCV is completed when the CA detects the correct file, with correct text content, at the correct location, and could take from a few minutes upto 4 hours in rare cases. Delays can be caused by website’s redirection, incorrect file content, incorrect file location.

If you have completed all steps for File DCV and you still haven’t received the certificate files:

  1. Ensure that there is no redirection to a different page by your website. This can happen if you use a CMS such as WordPress, Magento, etc. To check this, browse to the validation file in your web browser. The text file and correct content should be visible when you browse to the specified path.
  2. If you have requested a certificate for a sub-domain of your website, to make sure the authorization is successful ensure the file is publicly viewable in the correct directory on both yourdomain.com and subdomain.yourdomain.com
  3. Your file-path must reflect the Common Name on the CSR, or Certificate Signing Request. This means that if your certificate is being issued for yourdomain.com your file-path cannot be using www.yourdomain.com
  4. Check the file content is exactly as specified and does not include even an extra space on any line.
  5. Check the file is uploaded to the correct folder. To check this, browse to the validation file in your web browser. The text file and correct content should be visible when you browse to the specified path.
  6. If your website has an expired SSL certificate or you see any  browser warnings when trying to access your file, you must remove the old certificate and do whatever is necessary to clear the browser warning before your certificate can be issued.
  7. Check if you have setup firewall rules blocking IP ranges of other countries from accessing your domain’s website. If so disable these rules immediately.

Once the CA’s system detects an error it will stop the validation process without retrying. The only way to re-initiate the file check is by using the Reset Order button on your Order Details page and going back to Certificate Enrollment.

If you have completed all steps correctly but still have not received your certificate files, reach out to us using the Contact Support option on your Order Details page.

In some rare cases there could be delays due to the File validation queue/problems at CA’s issuing server. Problems at the CA’s issuing server can only be resolved by the CA’s engineers and will be resolved as soon as possible. Unfortunately, if this is the case, neither you nor we can do anything about it until it gets resolved and certificates start getting issued again.