Important update 1: Email Support is being transitioned to Webforms. Click here for more information.
Recent Searches

No recent searches

    Popular Articles

      Articles
      View all
        Topics
        View all
          Tickets
          View all
            no results

            Sorry! nothing found for

            Domain-Vetted Authorization for SSL Certificates

            Domain-vetted (DV) SSL orders are validated using one of three methods: email, DNS, or file. This article explains each method, how to change validation methods in the Reseller Control Panel (RCP), how often the certificate authorities (CAs) poll for completion, and the API commands that support DV orders.

            Note: The issuing CA performs validation on orders. OpenSRS does not perform validation directly.

            Validation methods at a glance

            Method

            What it means

            What to do

            Email

            The CA emails the validation address asking the recipient to confirm the certificate.

            Approve the email from one of the generic admin addresses listed below.

            DNS

            The CA looks for a CNAME or TXT record on the base domain.

            Add the value from the order page to your DNS zone and wait for the CA to poll.

            File

            The CA fetches a file from a specific path on your web server.

            Download the file from the order page and upload it to .well-known/pki-validation/ on the domain.

            Email validation

            Email validation sends an approval message to a generic admin address on the domain:

            • admin@domain.tld
            • administrator@domain.tld
            • hostmaster@domain.tld
            • postmaster@domain.tld
            • webmaster@domain.tld

            Note: Trustwave orders send the validation message to every contact automatically.

            DNS validation

            When you submit an order with DNS validation, OpenSRS provides a string to add to the domain's DNS zone. The record type depends on the CA.

            DigiCert orders (TXT record)

            DigiCert orders, plus legacy GeoTrust, Thawte, and RapidSSL orders, use a TXT record. — GeoTrust, Thawte, and RapidSSL consumer brands were discontinued by DigiCert on September 30, 2020.

            1. Copy the verification token from the SSL order page.
            2. Add it as a TXT record on the base domain (the public DNS zone).
            3. Wait for the CA to confirm the value using a public DIG lookup.

            Warning: The TXT record must be on the base domain for DigiCert DNS validation. The token starts with a string matching the order date.

            Sectigo orders (CNAME record)

            Sectigo validates orders with a CNAME record pointing back to Sectigo.

            1. Copy the CNAME record from the SSL order.
            2. Add it under the listed domain name in your DNS zone.

            Note: The DNS record is valid for 24 hours.

            File validation

            When you submit an order with file validation, the portal supplies a file download link.

            1. Download the validation file from the order page.
            2. Upload it to the following path on your web server: domain.tld/.well-known/pki-validation/fileauth.txt
            3. Wait for the CA to fetch and confirm the file.

            Note: Sectigo's authorization file name is an MD5 value rather than fileauth.txt. For Windows IIS servers, you can place a period at the start and end of the folder name as a workaround.

            Change the validation method

            Pick the preferred validation method at order time. You can switch methods while the order is still in progress from the RCP.

            Step 1: Open the SSL order

            1. Sign in to the Reseller Control Panel.
            2. Click the Trust tab.
            3. Search the common name and open the order.

            Step 2: Edit and submit the new method

            1. In the domain validation section, click Edit.
            2. Choose the new method from the dropdown.
            3. Click Submit.

            Polling frequency reference

            Each CA polls for completion on its own cadence. Use the tables below to estimate when validation will be confirmed.

            DigiCert polling

            Interval

            Duration

            Every minute

            For the first 15 minutes

            Every five minutes

            For an hour

            Every fifteen minutes

            For four hours

            Every hour

            For a day

            Every four hours

            For a week

            Every twenty hours

            For a year

            Sectigo polling

            When the DNS records don't exist on the initial check, Sectigo retries at:

            • 10 minutes after the order
            • 20 minutes after
            • 40 minutes after
            • 80 minutes after
            • 160 minutes after
            • 320 minutes after

            CAA records

            CAs are required to check the DNS CAA resource record on validated domains. With no CAA record present, no restriction is in place. When a CAA record explicitly allows or denies the vendor, the CA must honour the record's instructions.

            API commands

            OpenSRS provides API support for DV orders.

            Command

            Documentation

            get_order_info

            Attributes and examples

            sw_register

            Attributes and examples

            update_dv_auth_check

            Parameters and examples

            update_order

            Parameters and examples

            process_pending

            Parameters and examples

            Questions? Contact OpenSRS Support.

            How helpful was this article?

            Thanks for your feedback!

            Do you still need help? If so please submit a request here.