DNS CNAME Based Domain Control Validation (DCV)
DNS CNAME based DCV requires the creation of a unique DNS CNAME record, pointed back to the CA of the SSL Certificate purchased. The CNAME is then checked at every valid Authorization Domain, i.e. we start with the Fully Qualified Domain Name (FQDN) and then we will strip one or more labels from left to right in the FQDN and will look for the CNAME on each intermediate domain.
For example : A certificate request for an FQDN of *.mail.internal.yourdomain.com, we would look for the DNS CNAME record in these places and for this order :
- mail.internal.trustico.com
- internal.trustico.com
- trustico.com
When you are placing an order for your SSL Certificate, two hashes will be created from the CSR that you have generated and provided. A DNS CNAME record will need to be created under the Authorization Domain Name and we call the content of the DNS CNAME record the Request Token.
For example : A CSR is generated with the Common Name (CN) as www.yourdomain.com The Authorization Domain Name will be yourdomain.com The CSR is hashed using both the MD5 and SHA-256 hashing algorithms.
Below is an example of a generated MD5 hash and a SHA-256 hash that we will use for our examples.
- MD5 : C7FBC2039E400C8EF74129EC7DB1842C
- SHA-256 : c9c863405fe7675a3988b97664ea6baf442019e4e52fa335f406f7c5f26cf14f
To complete your order using this authentication method, you will need to add a DNS CNAME record to your DNS servers so that our systems can authenticate your SSL Certificate order.
In most circumstances your DNS records are managed by your hosting provider or domain registry. If you have access to your DNS records you must add the above record to successfully fulfill the validation requirements.
During the validation procedure, you will receive an e-mail that will contain instructions to help you further in using this authentication method. If your DNS Records are managed by your hosting provider or domain registry, you can send the e-mail to your hosting provider or domain registry if you do not have access to your DNS records.
Below is an example of how the DNS CNAME record will need to be structured :
DNS CNAME record : _<MD5 Hash>.yourdomain.com CNAME
DNS CNAME value : <SHA-256 Hash>.[<Unique Value>.]comodoca.com
Please note :
- The leading underscore at the start of the MD5 hash. This leading underscore is necessary and must exist part of the DNS CNAME record to be picked up by our servers for validation.
- The <Unique Value> is an optional value and is not required to complete the validation process unless you wish for a unique value to exist. If you would like to have a unique value part of your DNS CNAME record, please Contact Us to discuss further your requirements.
Once the DNS CNAME record has been created, our system will periodically check for up to 30 days to locate it. The DNS CNAME record allows your SSL Certificate order to be authenticated and your SSL Certificate to be issued.
To perform DNS CNAME record based DCV, below is an example of how the DNS CNAME record and value should look :
DNS CNAME record : _C7FBC2039E400C8EF74129EC7DB1842C.yourdomain.com CNAME
DNS CNAME value (Without a unique value) : c9c863405fe7675a3988b97664ea6baf442019e4e52fa335f406f7c5f26cf14f.comodoca.com
DNS CNAME value (With a unique value) : c9c863405fe7675a3988b97664ea6baf442019e4e52fa335f406f7c5f26cf14f.your-unqiue-value.comodoca.com
The Authorization Domain Names will be scanned for the presence of this DNS CNAME record. If found, domain control is proven and the Domain Validation (DV) certificate can be issued.
When your order has been placed and is being processed, you will receive an e-mail containing the hashes and instructions on how to use them. For DNS CNAME based DCV your e-mail will contain a block of code that is designed to allow you to simply copy & paste the block of code into your CNAME record.
You can also access the hashes and instructions from your Trustico® account. You can simply ‘View’ your order and the instructions & hashes will be available there.