Domain Validation (DV) is the simplest and most widely used form of SSL Certificate validation. It is a process that confirms the entity requesting the SSL Certificate has control over the domain for which the Certificate is being issued. Unlike Organization Validation (OV) or Extended Validation (EV) SSL Certificates, which require additional business verification steps, Domain Validation (DV) SSL Certificates focus solely on verifying domain ownership.
The validation process is typically automated and can be completed quickly, making Domain Validation (DV) SSL Certificates the fastest and most cost-effective way to secure a website. Once issued, the SSL Certificate activates HTTPS encryption, ensuring that data transferred between a website and its visitors remains secure. Trustico® provides Domain Validation (DV) SSL Certificates from trusted Certificate Authorities (CAs) including Sectigo® and offers multiple validation methods to suit different technical environments.
How Does Domain Validation (DV) Work?
To obtain a Domain Validation (DV) SSL Certificate, the domain owner must prove that they control the domain in question. The Certificate Authority (CA) requires this proof before any SSL Certificate can be issued. Trustico® supports several verification methods, each designed to accommodate different levels of technical access and preference. The method you choose will depend on your access to e-mail, Domain Name System (DNS) records, or your web server file system.
Since Domain Validation (DV) does not require extensive documentation or manual review, the process can often be completed within minutes. This allows website owners to secure their domains quickly and efficiently compared to the longer timelines associated with Organization Validation (OV) or Extended Validation (EV) SSL Certificates.
E-Mail Verification Method
E-Mail verification is the most common Domain Control Validation (DCV) method. The Certificate Authority (CA) sends a confirmation e-mail to a pre-approved address associated with the domain. The recipient must then follow the instructions in the e-mail, typically by clicking a confirmation link and entering a verification code provided in the message.
The e-mail address used for validation must be one of the following pre-approved addresses at the domain being validated : admin@yourdomain.com, administrator@yourdomain.com, hostmaster@yourdomain.com, postmaster@yourdomain.com, or webmaster@yourdomain.com. These addresses are defined by the Certificate Authority / Browser Forum (CA/Browser Forum) as acceptable for Domain Control Validation (DCV) purposes.
Important : WHOIS-based e-mail validation is being deprecated in accordance with Ballot SC-80v3. After June 15, 2025, only the five pre-approved e-mail addresses listed above or a contact listed in the _validation-contactemail DNS record for the domain will be accepted for e-mail based Domain Control Validation (DCV).
If none of the standard pre-approved e-mail addresses are available, you may be able to configure a _validation-contactemail DNS TXT record for your domain. This record allows the Certificate Authority (CA) to send validation e-mail to an alternative address that you specify within your Domain Name System (DNS) settings. Learn About E-Mail Address Handling for SSL Certificates 🔗
Domain Name System (DNS) CNAME Record Verification Method
Domain Name System (DNS) CNAME record verification is an alternative to e-mail based Domain Control Validation (DCV). This method requires you to create a specific CNAME record in your domain's Domain Name System (DNS) settings, which proves your control over the domain and allows the SSL Certificate issuance process to proceed.
The CNAME record is constructed using cryptographic hashes derived from the Certificate Signing Request (CSR). Specifically, an MD5 hash and a SHA-256 hash are generated from the DER-encoded Certificate Signing Request (CSR). The CNAME record takes the following format : the host portion is an underscore followed by the MD5 hash at your domain, and the target is the SHA-256 hash split into two 32-character labels followed by sectigo.com as the canonical name.
After placing your SSL Certificate order with Trustico® you can switch to CNAME validation by logging into the Trustico® order tracking system. Simply change the validation preference from Approver E-Mail to CNAME within your order details. Trustico® will provide the exact CNAME record values that need to be added to your Domain Name System (DNS) configuration. Explore Our SSL Certificate Tracking and Management Tool 🔗
Tip : Domain Name System (DNS) CNAME validation is particularly useful if you do not have access to any of the pre-approved e-mail addresses. As long as you can manage your domain's Domain Name System (DNS) records, this method provides a straightforward path to completing Domain Control Validation (DCV).
Domain Name System (DNS) TXT Record Verification Method
Domain Name System (DNS) TXT record verification is another Domain Name System (DNS) based validation method supported by the Certificate Authority (CA). With this approach, a unique random value token is provided by the Certificate Authority (CA) at the time of your SSL Certificate order. You must then create a Domain Name System (DNS) TXT record using the following format : the host is set to _pki-validation at your domain, and the TXT value contains the random token provided.
The token provided for Domain Name System (DNS) TXT validation is valid for 30 days from the date of issuance and may only be used once per SSL Certificate order. If the token expires before the record is verified, a new token will need to be generated by resubmitting the validation request through the Trustico® tracking system.
Important : Each Domain Name System (DNS) TXT validation token is unique to a specific SSL Certificate order. Reusing a token from a previous order will not work. Always use the exact token value provided for your current order.
HTTP and HTTPS File Based Verification Method
File based verification requires the domain owner to upload a specific verification file to a designated directory on the web server. The Certificate Authority (CA) will then check for the presence of this file at a known location to confirm domain ownership. This method is commonly used by web administrators who have direct access to their website's file system.
To complete file based validation, you will need to create a text file named using the MD5 hash value derived from your Certificate Signing Request (CSR). The contents of this file must include the SHA-256 hash of your Certificate Signing Request (CSR) on the first line, the text "sectigo.com" on the second line, and optionally a unique value on the third line. The file must be placed at the following path on your web server : http://yourdomain.com/.well-known/pki-validation/ or the HTTPS equivalent at https://yourdomain.com/.well-known/pki-validation/ using port 80 or port 443 respectively.
The verification file must be plain ASCII text without a Byte Order Mark (BOM). Both CRLF and LF line endings are acceptable. The web server must be publicly accessible on port 80 for HTTP or port 443 for HTTPS at the time the Certificate Authority (CA) performs the validation check. Learn About File Based Authentication for SSL Certificates 🔗
Warning : File based validation cannot be used for Wildcard SSL Certificates. If you are ordering a Wildcard SSL Certificate, you must use either e-mail validation or a Domain Name System (DNS) based validation method instead.
Validation for Multi-Domain SSL Certificates
When ordering a Multi-Domain SSL Certificate, also known as a Subject Alternative Name (SAN) or Unified Communications Certificate (UCC), each Fully Qualified Domain Name (FQDN) included on the SSL Certificate must be validated individually. The Certificate Authority (CA) requires proof of control for every domain listed on the SSL Certificate before issuance can proceed.
Different Domain Control Validation (DCV) methods can be used for different domains within the same Multi-Domain SSL Certificate order. For example, you might validate your primary domain using e-mail verification while using Domain Name System (DNS) CNAME validation for an additional domain where you do not have access to the pre-approved e-mail addresses. This flexibility allows you to choose the most convenient method for each domain on the order.
If a new Certificate Signing Request (CSR) is generated during the reissuance process, revalidation will be required for each domain on the SSL Certificate. The Trustico® tracking system provides detailed status information for each domain on a Multi-Domain SSL Certificate, allowing you to monitor which domains have been validated and which still require action. Discover Our Multi-Domain SSL Certificate Options 🔗
Request Tokens and Uniqueness Requirements
Every Domain Control Validation (DCV) request uses a request token to verify domain ownership. This request token is composed of the SHA-256 hash derived from the DER-encoded Certificate Signing Request (CSR), the string "sectigo.com" as an identifier, and optionally a unique value of up to 20 alphanumeric characters.
It is important to understand that request tokens must be unique for each SSL Certificate order. If you reuse a Certificate Signing Request (CSR) from a previous order, the validation may fail unless a unique value or distinguishing attribute is included in the new request. Trustico® recommends generating a fresh Certificate Signing Request (CSR) for each new SSL Certificate order to avoid potential issues with token uniqueness. Learn About Certificate Signing Requests (CSR) 🔗
Subdomain and WWW Domain Validation
It is important to note that validating control of www.yourdomain.com does not automatically prove control of the base domain yourdomain.com. The Certificate Authority (CA) treats each subdomain as a separate entity that requires its own Domain Control Validation (DCV). This means that if your SSL Certificate needs to cover both the www and non-www versions of your domain, each must be validated independently.
For Single Site SSL Certificates, Trustico® automatically includes both the www and non-www versions of your domain on Domain Validation (DV) SSL Certificates at no additional cost. However, the validation process will still need to confirm control of the base domain. If you are using a Wildcard SSL Certificate, it will cover the base domain and all subdomains at a single level automatically. Discover Our Wildcard SSL Certificate Options 🔗
Why is Domain Validation (DV) Needed?
Domain Validation (DV) plays a crucial role in internet security by ensuring that SSL Certificates are only issued to individuals or organizations that genuinely own or control a domain. Without this validation step, malicious actors could obtain SSL Certificates for domains they do not own and use them for phishing attacks or fraudulent activities. By requiring domain owners to validate their control, Certificate Authorities (CAs) prevent unauthorized parties from obtaining SSL Certificates under false pretenses.
This process helps to maintain trust on the internet, ensuring that visitors to an HTTPS-enabled site are communicating with the actual domain owner and not a deceptive imposter. The Domain Control Validation (DCV) process is a fundamental requirement established by the Certificate Authority / Browser Forum (CA/Browser Forum) and is enforced across all publicly trusted Certificate Authorities (CAs) worldwide.
Additionally, Domain Validation (DV) SSL Certificates are essential for enabling HTTPS, which has become a standard requirement for all websites. Modern web browsers mark websites without SSL Certificates as "Not Secure", discouraging visitors from engaging with them. HTTPS also plays a role in search engine optimization, as search engines favor secure websites in their rankings. By obtaining a Domain Validation (DV) SSL Certificate from Trustico® you can improve security, user trust, and your website's visibility in search results. Learn About How SSL Certificates Improve Search Engine Rankings 🔗
Who Should Use Domain Validation (DV) SSL Certificates?
Domain Validation (DV) SSL Certificates are ideal for personal websites, blogs, small business sites, and any website that does not require advanced identity verification. All validated SSL Certificates provide essential encryption to secure data transmissions, protect user privacy, and improve credibility by displaying HTTPS in the browser's address bar.
For businesses that need to establish stronger trust with their customers, such as e-commerce websites, financial institutions, or organizations handling sensitive data, a higher level of validation may be more appropriate. Organization Validation (OV) SSL Certificates verify that the business entity behind the domain is a legitimate organization, while Extended Validation (EV) SSL Certificates provide the highest level of identity assurance available. Learn About Organization Validation (OV) SSL Certificates 🔗
However, for basic encryption needs, Domain Validation (DV) SSL Certificates offer a fast, affordable, and highly effective solution to securing a website. Trustico® offers a range of Domain Validation (DV) SSL Certificates to suit different requirements, from single site protection through to Wildcard and Multi-Domain coverage. View Our Extended Validation (EV) SSL Certificates 🔗
Best Practices for Domain Control Validation (DCV)
Following best practices during the Domain Control Validation (DCV) process helps to ensure a smooth and timely SSL Certificate issuance. Generating a unique Certificate Signing Request (CSR) for each SSL Certificate order prevents token reuse issues and ensures that validation proceeds without complications. If you are using Domain Name System (DNS) based validation, verifying that your Domain Name System (DNS) records have propagated correctly before submitting the validation request will help avoid unnecessary delays.
Configuring Certification Authority Authorization (CAA) records in your Domain Name System (DNS) is also recommended. Certification Authority Authorization (CAA) records allow you to specify which Certificate Authorities (CAs) are permitted to issue SSL Certificates for your domain, adding an additional layer of security against unauthorized issuance. Trustico® recommends setting your Certification Authority Authorization (CAA) records to include the Certificate Authority (CA) associated with your SSL Certificate order.
Tip : Validating your domain early in the SSL Certificate ordering process helps to avoid delays. If you complete Domain Control Validation (DCV) promptly after placing your order, your SSL Certificate can be issued as soon as the validation is confirmed by the Certificate Authority (CA).
Trustico® provides all the tools and guidance needed to complete Domain Control Validation (DCV) efficiently through the Trustico® order tracking system. If you need assistance at any point during the validation process, the Trustico® support team is available to help. Explore Our Complete Validation Procedure Guide 🔗
