Need help? Call Live Support at +31 (0) 38 453 07 59

SSL
Domain control validation

A Domain Control Validation (DCV) is used by the Certificate Authority before issuing an SSL certificate to verify the person making the request is in fact authorized to use the domain related to that request. Methods for domain control validation differ per provider, the available methods are.

Sectigo

  • EMAIL: Whois based or one of the pre-approved addresses; admin@domain, administrator@domain, hostmaster@domain, postmaster@domain, webmaster@domain. Use List DCV Email Addresses to query allowed addresses.
  • DNS: DNS CNAME record based on CSR, optionally in combination with a "uniqueValue", see Sectigo documentation for construction of the hash.
  • FILE: HTTP file based on CSR, optionally in combination with a "uniqueValue", see Sectigo documentation for construction of the hash.

DigiCert, GeoTrust, Thawte, RapidSSL, PerfectSSL

  • EMAIL: Whois based, DNS TXT based or one of the pre-approved addresses; admin@domain, administrator@domain, hostmaster@domain, postmaster@domain, webmaster@domain. Use List DCV Email Addresses to query allowed addresses.
  • DNS: DNS CNAME record based on a random value, required records are returned in the Info process response.
  • FILE: HTTP file based on a random value, required location and contents are returned in the Info process response.
  • authKey: Use authKey for in immediate issuance of the certificate, if the validation fails the request is rejected. There is no guarantee of immediate issuance, in certain circumstances the request may be processes asynchronously. Use Generate authKey to generate a authKey for a specific CSR and product combination.
    • DNS: DNS TXT record based on pre-calculated authKey; _dnsauth.domain TXT authKey
    • FILE: HTTP file with pre-calculated authKey; http://domain/.well-known/pki-validation/fileauth.txt
SSL Mock

On the OT&E environment we have mocked the workings most SSL suppliers with some additional options to allow for testing of specific scenarios.

GeoTrust domain validation certificates are not mocked, they can be used to test DNS, HTTP and authKey validation flows. The issued certificates are valid for 3 days and not submitted to certificate transparency logs, so they are not deemed valid by clients.

For all other, mocked certificates the following rules can be used:

  • By default, all requests will pass validation within a few minutes
  • To slow down validation, set the "O" field in the CSR or the "organization" field in the request command to "wait" This way the validation will be slown down to 1 minute. By inserting a number of minutes in the "OU" field in the CSR or the "department" field you can delay the request even more
  • The DCV email address "finish@dcv.now" can be used to complete DCV validation for pending requests, the request will finish within a few minutes if there are no other validations
  • The DCV email address "finish@request.now" can be used to complete all validations for pending requests, the request will finish within a few minutes
  • A certificate that expires in 5 days can be requested by setting the "O" field in the CSR or the "organization" field in the request command to "soonexpired"
  • A certificate has expires 5 days ago be requested by setting the "O" field in the CSR or the "organization" field in the request command to "expired"