Support Desk

  1. Support Desk
  2. Domain Control Validation

Domain Control Validation by DNS CNAME Method

What is Domain Control Validation by DNS CNAME?

This DCV method applies only to Sectigo and PositiveSSL orders.

It's the responsibility of the Certification Authority (CA) to verify that the entity requesting a cert (you) has the right to use the domains in the cert. One way to prove this is by adding a DNS CNAME record. Ordinarily, A Canonical Name (abbreviated as CNAME) record maps one domain name to another but it can also be used by CAs as a way to verify that you have domain control.

Instructions for Setting Up a DNS CNAME Record

Domain Control Validation (DCV) by DNS CNAME requires the creation of a unique CNAME record that points back to Sectigo.

Example: your FQDN is www.geocerts.net. Adding a DNS CNAME record will require three fields: Host Name, Target Address, and Time-to-Live (TTL).
  1. Locate the order in your GeoCerts SSL Manager account. Review the information in the Domain Control Validation section. You will see...
    • CNAME Host: _8DA14D435F7042B71E212832EBFFD76B.www.geocerts.net
    • Target Address: 825752855AAEE1C2D576C3E42746C31C.FEA7606054060C42EAC7F966BA72FFAD.sectigo.com
      include-the-underscore.png
  2. Log in to your DNS provider and create a new CNAME record.
  3. In the Host Name field paste:
    _8DA14D435F7042B71E212832EBFFD76B (these are example values only, yours will be different)
  4. In the Address/Target field paste:
    825752855AAEE1C2D576C3E42746C31C.FEA7606054060C42EAC7F966BA72FFAD.sectigo.com
  5. In the TTL field enter the shortest time-to-live that your DNS provider will allow. Some DNS providers will not allow you to set your own TTL (not a problem).
  6. Save the CNAME record.
enom-dns-cname.png
Example DNS configuration at Enom.com

Check Your DNS for the New CNAME Record

Now that you have added a new CNAME record it's time to do a DNS lookup. Use can use What's My DNS to verity that your new CNAME record has propagated. Depending on the TTL value it may take some time to show up.

You'll need to check for a CNAME record at the full FQDN:
_8DA14D435F7042B71E212832EBFFD76B.geocerts.net (yours will be different)

undefined

Sectigo will automatically begin scans of your DNS records immediately after you enroll for an SSL certificate. If Sectigo does not find the required CNAME record their system will continue to check periodically until it receives the correct response.

Additional Resources

Please contact our support team if you have any additional problems or questions.

Dec 5, 2018 Scott Rogers