To prove domain control with this DCV method, you create a temporary CNAME host record on the domain's DNS namespace with a target hash value pointing back to the CA. The domain will be approved when the CA locates the correct CNAME record for the domain.
Note: The example above shows Hostname Token and Value strings for DigiCert and GeoTrust orders. The Value string for Sectigo and PositiveSSL orders will be a much longer hash URL string (e.g.,
Log in to your DNS provider's portal and add a DNS CNAME record to your domain. Below is an example using AWS Route 53 DNS.
Check your live DNS CNAME record for propagation.
Use Google Admin Toolbox Dig to test your new DNS CNAME record. If you don't see the token value, it's not set up correctly, or the record has not propagated yet. Note the TTL and check again later.