Domain Validation SSL certificates are the most basic of the three types of SSL/TLS certificates. That’s because Domain Validation is just a single step. The Certificate Authority must simply verify that the person or organisation applying for the certificate owns the registered domain.
How do I prove Domain Control to the Certificate Authority (CA)?
The easiest method for demonstrating domain control is via email-based authentication. During email-based authentication, the CA sends an email to a pre-approved address. There are several ways to do this, but the CA is going to start by looking at your domain’s WHOIS registry.
WHOIS, is an internet database that stores domain registrar information. For this approach to work the WHOIS record must be publicly available. The CA will send a message to any email address listed on your WHOIS.
Since the GDPR has come into effect, many registrars have closed their WHOIS look ups or have fully redacted their client’s information on them, however some registrar’s WHOIS data is still visible and in use. If the CA can grab an email address from the WHOIS record, they’ll send you an email to that address. Once that message gets responded to, you’ve satisfied this requirement.
The impacts of GDPR on WHOIS listings is still under debate, so until ICANN and the CAB Forum can come up with a workaround there are a pair of other ways to satisfy the Domain Verification requirement.
- Alternative Methods...
- Pre-Approved Email Addresses
- File-Based Authentication
- DNS CNAME-Based Authentication
- DNS TXT-Based Authentication
Pre-Approved Email Addresses
The CA can use any of the below pre-approved email addresses to satisfy the domain validation requirement:
The CA provides you with a text file that contains a unique value. You just need to add 2 sub-folders to the publicly accessible directory for your domain and then put the text-file into those folders.
- Folder #1: Must be named exactly “.well-known”
- Folder #2: Must be created inside of Folder #1 and named exactly “pki-validation”
The goal of this validation method is to see the contents of your text file when you navigate to the following URL in your browser:
DNS CNAME-Based Authentication (Comodo)
Comodo will provide you with two unique hash values that will make up your CNAME record. You must use the following format:
- Hostname Value: unique_value_1.yourdomain.com
- Points To Value: unique_value_2.comodoca.com
DNS TXT-Based Authentication (Symantec/GeoTrust/Thawte/RapidSSL/DigiCert)
The CA provides you with a unique value that you will input into your DNS settings as a TXT record. The TXT record must use the following format:
- The Host Name Value: Left blank or insert the @ symbol.
- The TXT Value: The unique value as given by the CA.
All of these methods will satisfy the domain validation requirement for any level of SSL certificate.