SSL DCV: How to Verify Your Domain

TL;DR

Domain Control Validation (DCV) proves you own the domain name in your SSL certificate request. This guide shows common methods – DNS records, HTTP files, and email verification – with clear steps.

1. Understanding DCV Methods

Your Certificate Authority (CA) will offer several ways to verify ownership. The most common are:

• DNS Record: Add a specific record (TXT or CNAME) to your domain’s DNS settings. This is generally the preferred method as it doesn’t require web server access.
• HTTP File: Upload a file with a unique name and content to a specific location on your website. Requires write access to your webserver.
• Email Verification: Receive an email at a pre-defined address associated with the domain (e.g., [email protected], [email protected]).

2. DNS Record Validation

1. Get the DNS record details from your CA: After requesting your certificate, your CA will provide a TXT or CNAME record value and hostname (usually your domain name itself).
2. Log in to your Domain Registrar/DNS Provider: This is where you manage your domain’s settings. Examples include GoDaddy, Namecheap, Cloudflare, etc.
3. Add the DNS Record:
   • Find the DNS management section (often called ‘DNS Records’, ‘Zone Editor’, or similar).
   • Create a new record.
     • Type: Select TXT (most common) or CNAME as instructed by your CA.
     • Name/Host: Enter the hostname provided by your CA (often @ for the root domain, or a subdomain like _acme-challenge).
     • Value/Content: Copy and paste the exact value given by your CA.
     • TTL: Leave at default (usually 3600 seconds / 1 hour) unless otherwise specified.
4. Wait for Propagation: DNS changes can take time to update across the internet (up to 48 hours, but usually much faster). You can use a tool like What’s My DNS to check propagation.

   dig yourdomain.com TXT

5. Verify with Your CA: Once propagated, tell your CA to verify the record. They’ll usually have a button or link in their control panel.

3. HTTP File Validation

1. Get the file details from your CA: The CA will provide a filename and its content (a unique string).
2. Upload the file to your webserver:
   • Use an FTP client or your web hosting control panel’s file manager.
   • Place the file in the exact location specified by your CA (e.g., /.well-known/pki-validation/filename.txt). The directory structure is important!
3. Ensure the file is publicly accessible: The CA needs to be able to access it via HTTP(S). Check with a browser or use curl.

   curl https://yourdomain.com/.well-known/pki-validation/filename.txt

4. Verify with Your CA: Tell your CA to verify the file.

4. Email Verification

1. Check the verification email address: The CA will send an email to addresses like [email protected], [email protected], or those listed in your domain’s WHOIS record.
2. Click the verification link: The email contains a unique link you must click to confirm ownership.
3. If no email arrives: Check your spam folder. If still missing, contact your CA for alternative addresses or methods.

5. Troubleshooting

• Propagation delays: DNS changes take time. Be patient and re-check after a few hours.
• Incorrect record/file details: Double-check the values provided by your CA – even a small typo can cause failure.
• File permissions: Ensure the HTTP file is publicly readable.
• Webserver configuration: Some webservers may block access to /.well-known/ directories; check your server settings.