Mastering Domain Control Validation (DCV): A Comprehensive Guide

Introduction:

Domain Control Validation (DCV) is a vital step in securing your online presence with SSL certificates. This guide will walk you through the DCV process, equipping you with the knowledge to successfully navigate it in a variety of ways. Discover the DCV method that best aligns with your expertise and circumstances.

Table of Contents:

1. Understanding Domain Control Validation (DCV)
2. Exploring DCV Methods
3. Final Step: Verifying the CAA Record
4. Conclusion

What is Domain Control Validation (DCV)?

Domain Control Validation, or DCV, is an essential verification process conducted by Certificate Authorities (CAs) to confirm that SSL certificate applicants either own the domain or possess administrative rights over it. This validation step is straightforward, devoid of paperwork, and a prerequisite for SSL certificate issuance.

Exploring DCV Methods:

To confirm your administrative control over the domain in question, CAs offer three distinct DCV methods, each explained in detail below.

1. Email Validation:

Email validation remains the most popular and user-friendly method for SSL certificate validation. In this process, the CA sends an approval email containing a validation code to the WHOIS or domain-based email address associated with your domain. To pass DCV, simply open the email and insert the provided validation code. This automated procedure typically takes less than five minutes, making it an efficient way to obtain a Domain Validation certificate.

Please note that only specific domain-based or your contact email addresses from WHOIS are eligible for the DCV email method. If your WHOIS email address is hidden for privacy reasons, or you’re unsure about it, refer to your domain control panel or get in touch with your domain registrar.

Alternatively, you can use one of the following pre-approved domain-based email addresses:

administrator@yourdomain.com

admin@yourdomain.com

postmaster@yourdomain.com

hostmaster@yourdomain.com

Ensure to replace “@yourdomain.com” with your actual domain name.

Didn’t receive the validation email? Here’s what you can do:

1. Check your spam and junk folder, as email filters may mistakenly mark the CA’s email as spam.
2. Double-check the accuracy of your email address to ensure there are no typos.
3. Attempt to resend the email.
4. If all else fails, seek support from your SSL provider.

Selected an email address that doesn’t exist? No worries; you can resolve this issue by following these steps:

1. Access your hosting dashboard and create the domain-based email address specified for validation.
2. Resend the approval email.

Important Note: Effective June 16, 2021, Sectigo no longer accepts WHOIS-based email addresses for Domain Control Validation (DCV).

2. DNS Validation:

DNS validation is a more technical approach, requiring the creation of a CNAME record in your domain’s DNS settings. This method hinges on the domain name system (DNS), which serves as the web’s phonebook, translating human-readable domain names into machine-readable IP addresses.

When selecting DNS validation, you will receive unique validation record values for your specific order. These values can be found in your SSL vendor account. The CA verifies domain ownership by checking for a DNS TXT record with a specific value. You’ll be provided with this unique value to add to your DNS TXT record, which the CA will then verify.

After SSL certificate activation, you must add the predetermined domain record values to your domain registrar, ensuring that your firewall doesn’t block the CA’s validation robot. Here are the steps to follow:

1. Log into your domain registrar account and navigate to your domain’s DNS settings.
2. Create the CNAME record using the domain record value from your vendor account.
3. Set the minimal available TTL (Time to Live) for the record to minimize propagation delays or potential setup errors.
4. Remember to verify your CNAME record using a suitable tool.

Check Your CNAME Record

Sectigo and GoGetSSL require a CNAME DNS type, which looks like this:

_b2013ea8353c9760c0221c49dc3e8ca7.yourwebsite.com CNAME

165b83449f4fdf83021de4e6f6ee795a.4ae75dbefe3r7bb8a1878616d8b5ae4.5r4r46855d28f6903.comodoca.com.

DigiCert, Thawte, GeoTrust, and RapidSSL require TXT DNS type, which looks like this:

yourwebsite.com TXT “w34f54t4t45t354eer98rn4jf4449nfrf”

or

dnsauth.yourwebsite.com TXT “w34f54t4t45t354eer98rn4jf4449nfrf”.

After setting up the CNAME record, what’s next? Newly added DNS records may take up to 72 hours to propagate globally, although this typically happens within a few hours. If you need your Domain Validation certificate promptly, the other two methods may be more suitable.

HTTP/HTTPS Validation:

Please note that this method is no longer applicable for validating Wildcard SSL certificates.

HTTP/HTTPS validation necessitates the upload of a TXT validation file to your domain’s directory. Ensure that you can access your hosting account via your dashboard or FTP, and that the CA can access it through any web browser.

The CA will scan your website, searching for the TXT file at the designated link. Once the CA’s crawler locates the TXT file on your website, your SSL certificate will successfully pass domain validation.

To obtain the validation file, access your vendor’s account after selecting the file-based option. The validation file is typically a .txt file with an alphanumeric name (e.g., B4DS4C5H73UFGJDHJ.txt).

After downloading the validation file, you must upload it to your hosting server/panel. Place the file in the “.well-known” folder within the “pki-validation” subfolder of your domain’s document root directory. This ensures that the validation file can be accessed via the specified path for validation: http://yourdomain.com/.well-known/pki-validation/B4DS4C5H73UFGJDHJ.txt.

3. Brand Validation:

In rare instances, the CA may require manual Domain Validation, known as Brand Validation. This manual check can take up to 48 hours, after which the CA will either approve or reject your order. Common reasons for orders undergoing Brand Validation include:

1. The domain name being blacklisted or having a questionable reputation.
2. Inclusion of stop words such as “online,” “secure,” “payment,” “bank,” and others, which can trigger manual verification.
3. Hidden brand names within domain names, leading to manual scrutiny.
4. Orders originating from restricted countries.

Final Step: Check the CAA Record:

Starting from September 8th, 2017, all Certificate Authorities (CAs) must adhere to your CAA policy as a security measure. Your CAA record should permit the CA to issue an SSL certificate for your domain. Failure to do so will result in the order being labeled as “Pending” until the record is updated.

By default, in the absence of a CAA record, any CA can issue an SSL certificate for your domain. To avoid this, make sure to update your CAA record.

Conclusion:

In conclusion, Domain Control Validation is a critical step in safeguarding web communication security, protecting users from potential threats, and preventing unauthorized SSL certificate issuance. With multiple validation methods available, DCV is a quick and straightforward process. Whether you’re a website owner or administrator, obtaining a domain control validated SSL certificate is a necessary step in establishing a secure online presence.