Support Desk

  1. Support Desk
  2. Domain Control Validation

Domain Control Validation by DNS CNAME Method

When ordering an SSL/TLS certificate, the Certificate Authority (CA) must confirm that you control the domain name(s) listed in the certificate request. One of the simplest ways to prove this is through DNS CNAME-based Domain Control Validation (DCV).

This article explains how to create the required DNS CNAME record for both DigiCert brands (DigiCert, GeoTrust, RapidSSL) and Sectigo brands (Sectigo, PositiveSSL).

What Is DNS CNAME DCV?

DNS CNAME DCV involves creating a special DNS record that links your domain to a unique validation token provided by the CA. The CA then queries DNS for this record to verify domain control automatically.

Step 1: Find Your Validation Token

After you place your order, navigate to the section You Need To... under Order Status. You’ll see Domain Control Validation (DCV) buttons for each domain (SAN) on the certificate order that needs to be validated.

Example tokens

  • DigiCert / GeoTrust / RapidSSL

    • Host Name: _dnsauth.example.com
    • Value: <unique-hash>.dcv.digicert.com

  • Sectigo / PositiveSSL

    • Host Name: _abc1234567890.example.com
    • Value: <unique-hash>.sectigo.com

Note: The actual host and value will be unique for your domain and can be copied directly from your order details page.

Step 2: Add the CNAME Record to Your DNS Zone

You can add the record through your DNS hosting provider (e.g., Cloudflare, GoDaddy, Route 53, etc.).

Example: DigiCert/GeoTrust brand certificate

Record Type
CNAME
Host / Name
_dnsauth.example.com
Value / Points to
_1b2c3d4e5f6.dcv.digicert.com
TTL
300 (or “automatic”)

Example: Sectigo/PositiveSSL brand certificate

Record Type
CNAME
Host / Name
_abc1234567890.example.com
Value / Points to
57785BB0EAE231146F9275.82B4F85F3E4281A42.sectigo.com
TTL
300 (or “automatic”)

Step 3: Wait for DNS Propagation

Once the record is saved, DNS changes can take a few minutes to propagate globally — in rare cases, up to 24 hours depending on your DNS host.

You can verify the record yourself using:

nslookup -type=cname _dcv.example.com

or

dig CNAME _abc1234567890.example.com

When DNS is resolving correctly, you’ll see the “Points to” value you added.

Step 4: Validation Completes Automatically

After the record is detected, the CA will automatically complete validation. You’ll receive an email when your certificate is issued.

Tips and Troubleshooting

  • Make sure there are no extra periods or spaces in the CNAME target value.
  • Do not use quotation marks around the record.
  • Verify that you’re editing the correct domain’s DNS zone. In most cases you will be adding a record to the base domain (e.g., if validating mail.example.com, the record should go under example.com, not mail.example.com).
  • Some DNS systems automatically append the domain to the record name — if your provider does this, enter only the prefix (e.g., _dnsauth) instead of the full FQDN.
  • If you use Cloudflare, make sure the record’s Proxy Status is set to DNS Only (gray cloud), not proxied (orange cloud).

Sectigo Multi-Level DCV Behavior

Sectigo allows DCV at any intermediate domain level. For example, if you request a certificate for:

three.two.one.example.com

you can prove control using a CNAME record at two.one.example.com. Sectigo will check upward through each level until a valid match is found.

Need Help?

If you’re unsure where to add the record or need help locating your DCV token, please contact GeoCerts Support at support@geocerts.com — we’ll be glad to assist.