Domain Control Validation by DNS CNAME Method

To prove domain control with this DCV method, you create a temporary CNAME host record on the domain's DNS namespace with a target hash value pointing back to the CA. The domain will be approved when the CA locates the correct CNAME record for the domain. 


How to set up DNS CNAME Token DCV method

  1. Locate the pending order in your GeoCerts CertCommand account. Click on a domain in the 'You Need To... > Prove Control Over Domains" section.

  2. From the DCV Method dropdown, choose DNS CNAME Token and copy the Hostname Token string. Note: The token value expires after thirty days.



    Note: The example above shows Hostname Token and Value strings for DigiCert and GeoTrust orders. The Value string for Sectigo and PositiveSSL orders will be a much longer hash URL string (e.g., 6C25483595D7C679E95089.A8B39E5E63890EB00A887B9.b6gnGbHI.sectigo.com).
  3. Log in to your DNS provider's portal and add a DNS CNAME record to your domain. Below is an example using AWS Route 53 DNS.

    CNAME records should be added to the base domain. For instance, if your FQDN is mail.example.com, add the CNAME record to just example.com, not mail.example.com.
    1. In the Record Name field, copy and paste the Hostname Token from step 2.
    2. In the Value field, copy and paste the domain Value from step 2.
    3. Set a low Time-to-Live (TTL) for this record.
    4. Save the CNAME record.



  4. Check your live DNS CNAME record for propagation.

    Use Google Admin Toolbox Dig to test your new DNS CNAME record. If you don't see the token value, it's not set up correctly, or the record has not propagated yet. Note the TTL and check again later. 

  5. Check DCV approval. 

    Once you're sure that your new DNS CNAME record is set up correctly and has propagated globally, go back to step 2 and click the CHECK button. 



    When the correct DNS CNAME record is located, that domain will be checked-off and approved. Repeat for all domains on the certificate order.