Domain Control Validation by DNS CNAME Method

To prove domain control with this DCV method, you create a temporary CNAME host record on the domain's DNS namespace with a target hash value pointing back to the CA. The domain will be approved when the CA locates the correct CNAME record for the domain. 

A. Instructions for GeoTrust and DigiCert orders

  1. Locate the pending order in your GeoCerts CertCommand account. Click on a domain in the 'You Need To..." section.

  2. From the DCV Method dropdown choose DNS CNAME Token and copy the File Content token string. Note: The token value expires after thirty days.

  3. Open a text editor (such as Notepad) and paste the unique hash token into the file and save the file as fileauth.txt.

  4. Create a public directory on your server: /.well-known/pki-validation

    Note the leading dot in .well-known
    For Windows-based servers, the .well-known folder must be created via command line
    (mkdir .well-known).
  5. Add your fileauth.txt to the new directory so that you end up with the following public URLs for each FQDN requested (In this example you will need one for and one for plain

  6. Test the URL in a browser using HTTP or HTTPS to verify that it's responding properly. Your browser should display your unique hash token. The token value must be publicly accessable and cannot be behind a firewall. Multiple redirects will prevent DCV approval and only ports 80 and 443 will be accepted.


  7. Once you confirm that each FQDN responds with the correct token you can click the Check button to verify and approve DCV token values. Complete the steps above for EVERY FQDN domain name on the order. When all domains on the order are Approved the Domain Control
    • CNAME Host:
    • Target Address:

    Instructions for Setting Up a DNS CNAME Record

    Domain Control Validation (DCV) by DNS CNAME requires the creation of a unique CNAME record that points back to Sectigo.

    Example: your FQDN is Adding a DNS CNAME record will require three fields: Host Name, Target Address, and Time-to-Live (TTL).
    1. Locate the order in your GeoCerts SSL Manager account. Review the information in the Domain Control Validation section. You will see...
      • CNAME Host:
      • Target Address:

    2. Log in to your DNS provider and create a new CNAME record.
    3. In the Host Name field paste:
      _8DA14D435F7042B71E212832EBFFD76B (these are example values only, yours will be different)
    4. In the Address/Target field paste:
    5. In the TTL field enter the shortest time-to-live that your DNS provider will allow. Some DNS providers will not allow you to set your own TTL (not a problem).
    6. Save the CNAME record.
    Example DNS configuration at

    Check Your DNS for the New CNAME Record

    Now that you have added a new CNAME record it's time to do a DNS lookup. Use can use What's My DNS to verity that your new CNAME record has propagated. Depending on the TTL value it may take some time to show up.

    You'll need to check for a CNAME record at the full FQDN: (yours will be different)


    Sectigo will automatically begin scans of your DNS records immediately after you enroll for an SSL certificate. If Sectigo does not find the required CNAME record their system will continue to check periodically until it receives the correct response.

    Additional Resources

Please contact our support team if you have any additional problems or questions.

Dec 5, 2018 Scott Rogers