Domain Validation (DV)

- Authentication Requirements

Domain Validation (DV) SSL Certificates provide a great level of consumer trust through securing the connection between the customers web browser and your website. Domain Validation (DV) verification guidelines provide a quick and efficient process to securing your website fast.

Trustico® Validation Image

Domain Validated (DV) SSL Certificates are where a Certificate Authority (CA) checks and confirms that the person who has purchased the SSL Certificate has a right to purchase an SSL Certificate for the specified domain name. The SSL Certificate is then issued with the domain name only in the certificate. No organisation/company information is included.

Domain Validated SSL Certificates come with the advantage of being issued almost immediately and without the need to submit paperwork.

Domain Validated SSL Certificate products are authenticated using one of three validation methods :

- Approver E-Mail Domain Control Validation (DCV)
- HTTP / File Based Domain Control Validation (DCV)
- DNS CNAME Based Domain Control Validation (DCV)

Orders for major corporations, well known trademarks and financial institutions may be queued for further security reviews prior to issuance.

In the event an order is queued for review the administrative contact must be a full-time employee of the company for successful issuance. A verification telephone call with the administrative contact may be required.

Domain Control Validation (DCV) Approver E-Mail

When choosing to purchase an SSL Certificate, an e-mail address will be chosen during the ordering process from a shortlist of acceptable options. We will send an e-mail to the designated e-mail address chosen containing a unique validation code. Also provided is a link, that when clicked on allows you to enter the validation code thus proving domain control. The following generic e-mail addresses are currently able to be used :

- admin@yourdomain.com
- administrator@yourdomain.com
- hostmaster@yourdomain.com
- webmaster@yourdomain.com
- postmaster@yourdomain.com

The above e-mail addresses are generic e-mail addresses. Applicants must choose a generic e-mail address to prove that they administer the domain name purchasing the SSL Certificate. If we are able to retrieve the Admin, Registrant, Tech or Zone e-mail addresses from the WHOIS database it can also be used.

If during the ordering process we are unable to retrieve the Admin, Registrant, Tech or Zone e-mail address from the WHOIS database, please proceed by choosing a generic address and then Contact Us as it may be possible for us to manually update the order with the contact e-mail address from the WHOIS database.

HTTP / File Based Domain Control Validation (DCV)

HTTP based DCV requires that a HTTP server be running on port 80 or that an HTTPS server be running on port 443 of the Authorization Domain Name. We follow CNAMEs when completing HTTP based DCV. We look for the file at every valid Authorization Domain, i.e. we start with the Fully Qualified Domain Name (FQDN) and then we will strip one or more labels from left to right in the FQDN and will look for the file on each intermediate domain.

To complete your order using this authentication method, you will need to install a validation file onto your website. The validation file allows our systems to authenticate your SSL Certificate order. The validation file must be located within a specific directory.

To complete this task you will need to create a new directory at the root level of your existing website file structure called :

.well-known

Additionally, inside this newly created directory another directory will need to be created called :

pki-validation

When you are placing an order for your SSL Certificate, two hashes will be created from the CSR that you have generated and provided. A plain text file will need to be created on the HTTP/S server of the Authorization Domain Name, with one hash as the filename, and one hash within the text file itself. We call this text file the Request Token.

For example : A CSR is generated with the Common Name (CN) as www.yourdomain.com The Authorization Domain Name will be yourdomain.com The CSR is hashed using both the MD5 and SHA-256 hashing algorithms.

Below is an example of a generated MD5 hash and a SHA-256 hash that we will use for our examples :

- MD5 : C7FBC2039E400C8EF74129EC7DB1842C
- SHA-256 : c9c863405fe7675a3988b97664ea6baf442019e4e52fa335f406f7c5f26cf14f

A file will need to be created using the MD5 hash as the file name and .txt as the file extension.

Below is an example of what the website path will need to look like :

https://www.yourdomain.com/.well-known/pki-validation/C7FBC2039E400C8EF74129EC7DB1842C.txt

Inside this text file that has been created, the SHA-256 hash and the domain comodoca.com on the next line will need to be added.

Below is an example of what the content inside the text file will look like :

- c9c863405fe7675a3988b97664ea6baf442019e4e52fa335f406f7c5f26cf14f comodoca.com

Once the order is received and HTTP based DCV is specified, the validation system checks for the presence of the text file and its content. If the file is found and the hash values match, domain control is proven.

When your order has been placed and is being processed, you will receive an e-mail containing the hashes and instructions on how to use them. For HTTP based DCV your e-mail will contain an attachment that will have the file with the hashes applied to the file. This will simply allow you to add the file to the correct directory structure as mentioned above.

You can also access the hashes and instructions from your Trustico® account. You can simply 'View' your order and the instructions & hashes will be available in there.

DNS CNAME Based Domain Control Validation (DCV)

DNS CNAME based DCV requires the creation of a unique DNS CNAME record, pointed back to the CA of the SSL Certificate purchased. The CNAME is then checked at every valid Authorization Domain, i.e. we start with the Fully Qualified Domain Name (FQDN) and then we will strip one or more labels from left to right in the FQDN and will look for the CNAME on each intermediate domain.

For example : A certificate request for an FQDN of *.mail.internal.yourdomain.com, we would look for the DNS CNAME record in these places and for this order :

- mail.internal.trustico.com
- internal.trustico.com
- trustico.com

When you are placing an order for your SSL Certificate, two hashes will be created from the CSR that you have generated and provided. A DNS CNAME record will need to be created under the Authorization Domain Name and we call the content of the DNS CNAME record the Request Token.

For example : A CSR is generated with the Common Name (CN) as www.yourdomain.com The Authorization Domain Name will be yourdomain.com The CSR is hashed using both the MD5 and SHA-256 hashing algorithms.

Below is an example of a generated MD5 hash and a SHA-256 hash that we will use for our examples.

- MD5 : C7FBC2039E400C8EF74129EC7DB1842C
- SHA-256 : c9c863405fe7675a3988b97664ea6baf442019e4e52fa335f406f7c5f26cf14f

To complete your order using this authentication method, you will need to add a DNS CNAME record to your DNS servers so that our systems can authenticate your SSL Certificate order.

In most circumstances your DNS records are managed by your hosting provider or domain registry. If you have access to your DNS records you must add the above record to successfully fulfill the validation requirements.

During the validation procedure, you will receive an e-mail that will contain instructions to help you further in using this authentication method. If your DNS Records are managed by your hosting provider or domain registry, you can send the e-mail to your hosting provider or domain registry if you do not have access to your DNS records.

Below is an example of how the DNS CNAME record will need to be structured :

DNS CNAME record : _<MD5 Hash>.yourdomain.com CNAME

DNS CNAME value : <SHA-256 Hash>.[<Unique Value>.]comodoca.com

Please note :

- The leading underscore at the start of the MD5 hash. This leading underscore is necessary and must exist part of the DNS CNAME record to be picked up by our servers for validation.
- The <Unique Value> is an optional value and is not required to complete the validation process unless you wish for a unique value to exist. If you would like to have a unique value part of your DNS CNAME record, please Contact Us to discuss further your requirements.

Once the DNS CNAME record has been created, our system will periodically check for up to 30 days to locate it. The DNS CNAME record allows your SSL Certificate order to be authenticated and your SSL Certificate to be issued.

To perform DNS CNAME record based DCV, below is an example of how the DNS CNAME record and value should look :

DNS CNAME record : _C7FBC2039E400C8EF74129EC7DB1842C.yourdomain.com CNAME

DNS CNAME value (Without a unique value) : c9c863405fe7675a3988b97664ea6baf442019e4e52fa335f406f7c5f26cf14f.comodoca.com

DNS CNAME value (With a unique value) : c9c863405fe7675a3988b97664ea6baf442019e4e52fa335f406f7c5f26cf14f.your-unqiue-value.comodoca.com

The Authorization Domain Names will be scanned for the presence of this DNS CNAME record. If found, domain control is proven and the Domain Validation (DV) certificate can be issued.

When your order has been placed and is being processed, you will receive an e-mail containing the hashes and instructions on how to use them. For DNS CNAME based DCV your e-mail will contain a block of code that is designed to allow you to simply copy & paste the block of code into your CNAME record.

You can also access the hashes and instructions from your Trustico® account. You can simply ‘View’ your order and the instructions & hashes will be available there.

Additional Information

Domain Validated SSL Certificates can take only 5 minutes to issue using one of the above authentication methods. Some domains may be held back for further validation checks if the domain has been queued. If you believe that your SSL Certificate order is not being issued in time, you can Contact Us to help you in getting your order completed and issued.