To prove domain control with this DCV method, you create a temporary CNAME host record on the domain's DNS namespace with a target hash value pointing back to the CA. The domain will be approved when the CA locates the correct CNAME record for the domain.
The DNS CNAME Token DCV method is not supported for GeoTrust DV SSL/TLS products. All GeoTrust and DigiCert OV and EV products do support CNAME.
An example warning alert with an icon
An example success alert with an check icon
An example warning alert with an exclamation icon
An example danger alert with an exclamation icon
Locate the pending order in your GeoCerts CertCommand account. Click on a domain in the 'You Need To..." section.
From the DCV Method dropdown choose DNS CNAME Token and copy the File Content token string. Note: The token value expires after thirty days.
Open a text editor (such as Notepad) and paste the unique hash token into the file and save the file as fileauth.txt.
Create a public directory on your server: /.well-known/pki-validation
Note the leading dot in .well-known
For Windows-based servers, the .well-known folder must be created via command line (mkdir .well-known).
Add your fileauth.txt to the new directory so that you end up with the following public URLs for each FQDN requested (In this example you will need one for www.example.com and one for plain example.com).
Test the URL in a browser using HTTP or HTTPS to verify that it's responding properly. Your browser should display your unique hash token. The token value must be publicly accessable and cannot be behind a firewall. Multiple redirects will prevent DCV approval and only ports 80 and 443 will be accepted.
Once you confirm that each FQDN responds with the correct token you can click the Check button to verify and approve DCV token values. Complete the steps above for EVERY FQDN domain name on the order. When all domains on the order are Approved the Domain Control
Log in to your DNS provider and create a new CNAME record.
In the Host Name field paste: _8DA14D435F7042B71E212832EBFFD76B (these are example values only, yours will be different)
In the Address/Target field paste: 825752855AAEE1C2D576C3E42746C31C.FEA7606054060C42EAC7F966BA72FFAD.sectigo.com
In the TTL field enter the shortest time-to-live that your DNS provider will allow. Some DNS providers will not allow you to set your own TTL (not a problem).
Save the CNAME record.
Check Your DNS for the New CNAME Record
Now that you have added a new CNAME record it's time to do a DNS lookup. Use can use What's My DNS to verity that your new CNAME record has propagated. Depending on the TTL value it may take some time to show up.
You'll need to check for a CNAME record at the full FQDN: _8DA14D435F7042B71E212832EBFFD76B.geocerts.net (yours will be different)
Sectigo will automatically begin scans of your DNS records immediately after you enroll for an SSL certificate. If Sectigo does not find the required CNAME record their system will continue to check periodically until it receives the correct response.