SSL.com Domain Control Validation

Details on the process and how to pass it

Domain Control Validation Overview

In order to establish ownership or authorization to acquire an ssl certificate for a specific domain, proof of control over the domain must be established.

Domain Control Validation (DCV) can be established by the following methods:: Email Challenge Response; File lookup over HTTP; DNS CNAME lookup for domain

For UCC certificates or any certificate that contains multiple domain names, dcv must be performed on each domain using any of the combinations of methods listed above.

Email Challenge Response

Upon order placement, an email is sent to an email address selected prior during the order process. Contained within this email is a link the the recipient of the email can follow and enter in a validation code found in the email. Once this process occurs, domain control has been established.

The accepted list of email addresses for a domain that ssl.com is authorized to send the dcv email to is as follows:: webmaster@; hostmaster@; postmaster@; administrator@; admin@

File lookup over HTTP

This method requires a file created from the certificate signing request's (csr) hashes be viewable through http on port 80. SSL.com will check for the existence of this file to satisfy domain control validation. This file contains two hashes from the csr. The file name is the MD5 hash of the csr with a .txt extension. Within this file is the SHA-2 hash of the csr followed by a newline and the word comodoca.com.

For instance, if the csr is created for the domain name www.yoursite.com, and the MD5 hash the csr is 8593532A8FA01E6CEBB0B7E85E510D0F, and the SHA-1 hash for the csr is F18B0E3C464CCFE58209272A97ADC0E8C4233BF9, then the dcv file would have the contents:

: F18B0E3C464CCFE58209272A97ADC0E8C4233BF9; comodoca.com

And the dcv file should be publicly found at

: http://www.yoursite.com/8593532A8FA01E6CEBB0B7E85E510D0F.txt

Upon successful order placement, SSL.com's automated server will look for this file at the above listed url, and if found, domain control validation will be satisfied.

DNS CNAME lookup for domain

This method requires a CNAME entry in the domain's DNS be pointed to sslpki.com. An MD5 hash as well as a SHA-1 hash of the csr are required for this CNAME entry. The CNAME entry should look like:

: <MD5 hash>.<domain> CNAME <SHA-2 hash>.comodoca.com

Using the example csr and hashes in section "File lookup over HTTP", the CNAME dns entry would look like:

: 8593532A8FA01E6CEBB0B7E85E510D0F.yoursite.com CNAME F18B0E3C464CCFE58209272A97ADC0E8C4233BF9.comodoca.com

Upon successful order placement, SSL.com's automated server will look for this dns entry, and if found, domain control validation will be satisfied.