Domain-vetted authorization for SSL certificates

Registrants choose between three methods to validate an SSL certificate for domain-vetted (DV) orders.
Note: The issuing Certificate Authority (CA) performs validation on orders; OpenSRS does not perform validation directly.  

Validation methods

Perform basic, domain-level validation for certificates using one of the following three methods: 

Email DNS File

Email validation

Selecting email validation prompts the vendor to email the validation email address, requesting that they confirm the certificate's details. Complete email validation for DV certificates through the generic email addresses:

  • admin@domain.tld
  • administrator@domain.tld
  • hostmaster@domain.tld
  • postmaster@domain.tld
  • webmaster@domain.tld

Note: Trustwave orders automatically send the message to all contacts.

DNS validation

Upon submitting the order, OpenSRS provides a string to add to the registration records on the domain. Depending on the CA, this is either a CNAME or a TXT record. 

DigiCert orders

DigiCert, Thawte, GeoTrust, and RapidSSL orders use a TXT record for DNS validation. Set the provided TXT records on the domain base for visibility on the domain's public DNS to complete.
Important: The TXT record must be on the base domain for DigiCert DNS validation.

Add the random value verification token from the SSL order page onto the domain's DNS zone as a TXT record on the base domain.

The CA searches for the TXT record using a public DIG tool and confirms the value includes the provided token.
Note: The token starts with a string matching the order date. 

Sectigo orders

Sectigo validates orders using a CNAME record. They require a unique string pointing back to Sectigo. Set the record provided under the listed domain name. OpenSRS provides the CNAME record on the SSL order.
Note: The DNS record is valid for 24 hours. 

Back to top

File validation

Upon submitting the order, the portal provides a file download link.
Upload the file to the following directory:


The CA checks the website for this file and validates the certificate after confirming it is uploaded. 

Note: Sectigo authorization file name is an MD5 value instead of fileauth.txt. For Windows IIS servers, you can place a period at the start and end of the folder for a workaround. 

Back to top 

Changing validation

Select the preferred method at the initial purchase from the product order in the Reseller Control Panel (RCP). Resellers can change the validation method to an alternate option from the order page while the order is still in progress.

To change the validation method:

  1. Login to the RCP.
  2. Navigate to the Trust tab.
  3. Find the SSL order by searching the common name.
  4. View the order by selecting the common name.
  5. Select Edit from the domain validation section.
  6. Select the alternate method from the domain validation methods dropdown and click Submit.

Back to top

Polling times

DigiCert frequency

Every minute for the first 15 minutes
Every five minutes for an hour
Every fifteen minutes for four hours
Every hour for a day
Every four hours for a week
Every twenty hours for a year

Sectigo frequency

When the DNS records don't exist during the initial check, further lookups happen at the following times after the initial order:

  • 10 minutes after
  • 20 minutes after
  • 40 minutes after
  • 80 minutes after
  • 160 minutes after
  • 320 minutes after

Back to top

CAA records

Changes implemented by the certificate industry require the CAs to check for a DNS CAA resource record on validated domains. When there are no CAA records, no restriction is in place. When a CAA record explicitly allows or denies the vendor, the CA must follow the record instructions.

API commands

We provide tools via API for domain-vetted authorization orders.




Back to top

Was this article helpful? If not please submit a request here

How helpful was this article?