How to Verify Domain Ownership (Domain Validation for SSL)?

How to Verify Domain Ownership (Domain Validation for SSL)?

Here's a detailed KB article explaining how to verify domain ownership (Domain Validation) during the SSL certificate issuance process. This is applicable for DV, OV, and EV certificates.

πŸ” Overview

Before issuing an SSL certificate, a Certificate Authority (CA) must confirm that the requester owns or controls the domain. This process is called Domain Validation (DV) and is mandatory for all types of SSL certificates (DV, OV, and EV).

This article explains the 3 standard domain validation methods used by CAs:

  1. Email-Based Validation

  2. DNS-Based Validation

  3. HTTP File Upload Validation

βœ… Who Requires Domain Validation?

  • Any individual or organization purchasing an SSL/TLS certificate

  • Applies to Domain Validated (DV), Organization Validated (OV), and Extended Validation (EV) certificates

  • OV/EV certificates also require business verification, but domain control is still mandatory

πŸ” Methods to Verify Domain Ownership

πŸ“§ 1. Email-Based Validation (Most Common)

Step-by-Step:

  1. When ordering the SSL, select Email Validation as the method.

  2. CA sends a confirmation email to domain-based addresses, such as:

  3. Open the email and click the verification link.

  4. Once confirmed, the certificate is issued.

βœ… Pros:

  • Easy for most users with access to domain email
    ❗ Cons:

  • Requires the domain to have one of the above email addresses set up

🌐 2. DNS-Based Validation (TXT Record)

This method involves creating a DNS TXT record that the CA will check to confirm ownership.

Step-by-Step:

  1. During SSL order, select DNS Validation.

  2. CA will provide a unique TXT record like:

    arduino
    Copy
    Edit
    _acme-challenge.yourdomain.com  IN TXT  "abc123xyzvalidationtoken"

  3. Log into your DNS provider (Cloudflare, GoDaddy, Route 53, etc.).

  4. Create the TXT record as instructed.

  5. Save and wait for DNS propagation (can take 5–30 minutes).

  6. CA will verify the record automatically.

βœ… Pros:

  • No need for email or website access
    ❗ Cons:

  • Requires DNS management access

  • Propagation delay may affect issuance time

🌍 3. HTTP File Upload Validation

CA provides a file that must be uploaded to a specific path on your web server.

Step-by-Step:

  1. Choose HTTP File Validation during SSL setup.

  2. CA provides a file like:

    • Filename:
      .well-known/pki-validation/abc12345.txt

    • Contents:
      A long token string for verification

  3. Upload this file to:

    arduino
    Copy
    Edit
    http://yourdomain.com/.well-known/pki-validation/abc12345.txt

  4. Ensure it’s publicly accessible via browser.

  5. CA will access the file to confirm ownership.

βœ… Pros:

  • No email or DNS changes needed
    ❗ Cons:

  • Requires FTP/SSH or access to web root

  • Cannot be used for domains that don’t have live hosting

πŸ” Can I Change the Validation Method?

Yes, most Certificate Authorities allow you to switch methods before the certificate is issued.

If one method fails:

  • Retry with another method via your CA's control panel or support

  • DNS is often the fallback when others fail

πŸ› οΈ Troubleshooting Tips

IssueSolution
Email not receivedCheck spam/junk, ensure correct domain alias is set up
DNS record not foundVerify record format, TTL, and propagation
HTTP validation failsConfirm public access, correct file path, no redirects or SSL enforcement
Using CloudflareTemporarily disable proxy (orange cloud) for _acme-challenge DNS entries

πŸ” Security Notes

  • Only use validation tokens provided by your CA.

  • Tokens expire if not used in time (usually 24–72 hours).

  • Don’t reuse old tokens or reuse the same CSR for another domain.