Just like with DV and EV SSL certificates, one of the crucial checks for Organisation Validated SSL is Domain Verification. This is where the Certificate Authority (CA) must verify that your organisation owns the domain that you are trying to secure.
How Do I Show Domain Ownership?
To satisfy the Domain Verification requirement you must simply prove that your organisation owns the domain that was listed on your Certificate Request.
There are several ways to do this, but the CA is going to start by looking at your domain’s WHOIS registry. WHOIS, is an internet database that stores domain registrar information. For this approach to work the WHOIS record must be publicly available. The CA will send a message to any email address listed on your WHOIS.
Since the GDPR has come into effect, many registrars have closed their WHOIS look ups or have fully redacted their client’s information on them, however some registrar’s WHOIS data is still visible and in use. If the CA is able to locate an email address from the WHOIS, they’ll send an email to that address. Once the steps listed in the email have been completed, you’ve satisfied this requirement.
The impacts of GDPR on WHOIS are still be hotly debated, so until ICANN and the CAB Forum can come up with a workaround there are a pair of other ways to satisfy the Domain Verification requirement.
- Additional ways to satisfy this requirement include:
- Proof of Right Email
- File-Based Authentication
- DNS CNAME-Based Authentication
- DNS TXT-Based Authentication
- Professional Opinion Letter
Proof of Right Email
The CA can also use one of five default email addresses listed below to verify domain ownership:
The CA provides you with a text file that contains a unique value. You just need to add 2 sub-folders to the publicly accessible directory for your domain and then put the text-file into those folders.
- Folder #1: Must be named exactly “.well-known”
- Folder #2: Must be created inside of Folder #1 and named exactly “pki-validation”
The goal of this validation method is to see the contents of your text file when you navigate to the following URL in your browser:
DNS CNAME-Based Authentication (Comodo)
Comodo will provide you with two unique hash values that will make up your CNAME record. You must use the following format:
- Hostname Value: unique_value_1.yourdomain.com
- Points To Value: unique_value_2.comodoca.com
DNS TXT-Based Authentication (Symantec/GeoTrust/Thawte/RapidSSL/DigiCert)
The CA provides you with a unique value that you will input into your DNS settings as a TXT record. The TXT record must use the following format:
- The Host Name Value: Left blank or insert the @ symbol.
- The TXT Value: The unique value as given by the CA.
Legal Opinion Letter
As with most other requirements, a Legal Opinion Letter (also known as a Professional Opinion Letter or POL) will satisfy this requirement. You need only get an attorney or accountant to sign one for you and the CA will accept it as proof of domain ownership.
- Example Comodo Legal Opinion Letter
- Example GeoTrust Legal Opinion Letter
- Example Symantec Legal Opinion Letter
- Example Thawte Legal Opinion Letter
All of these methods will satisfy the Domain Verification requirement.