Domain Control Validation by DNS CNAME Method

To prove domain control with this DCV method, you create a temporary CNAME host record on the domain's DNS namespace with a target hash value pointing back to the CA. The domain will be approved when the CA locates the correct CNAME record. 

How to set up the DNS CNAME Token DCV method

Locate the pending order in your GeoCerts CertCommand account. Click on a domain in the 'You Need To... > Prove Control Over Domains" section.

DCV management

From the DCV Method dropdown, choose DNS CNAME Token and copy the Hostname Token string. Note: The token value expires after thirty days.

CNAME DCV management

Note: The example above shows Hostname Token and Value strings for DigiCert and GeoTrust orders. The Value string for Sectigo and PositiveSSL orders will be a much longer hash URL string (e.g.,  6C25483595D7C679E95089.A8B39E5E63890EB00A887B9.b6gnGbHI.sectigo.com).

Log in to your DNS provider's portal and add a DNS CNAME record to your domain. Below is an example using AWS Route 53 DNS.

CNAME records should be added to the base domain. For instance, if your FQDN is mail.example.com, add the CNAME record to just example.com, not mail.example.com.

  1. Copy and paste the Hostname Token from step 2 in the Record Name field.
  2. In the Value field, copy and paste the domain Value from step 2.
  3. Set a low Time-to-Live (TTL) for this record.
  4. Save the CNAME record.

AWS Route 53

Check your live DNS CNAME record for propagation.

Use Google Admin Toolbox Dig to test your new DNS CNAME record. If you don't see the token value, it's not set up correctly, or the record has not propagated yet. Note the TTL and check again later.
Google Admin Toolbox -Dig

Check DCV approval. 

Once you know your new DNS CNAME record is set up correctly and has propagated globally, go back to step 2 and click the CHECK button. 

Check for token.


When the correct DNS CNAME record is located, that domain will be checked off and approved. Repeat for all domains on the certificate order.

Domain approved.

Scans of your DNS CNAME record will begin immediately after you enroll for an SSL certificate, and automatic checks will be made periodically until the correct DNS response is found. You can also force re-checks using step 5 above. 

Choosing and changing the DCV method

You choose the initial DCV method when placing an SSL/TLS order. You can change the current DCV method - for example, from Email Verification to DNS CNAME - at any time by clicking the button for any domain on the order that is not approved.  

Additional Resources