Registrants choose between three methods to validate an SSL certificate for domain-vetted (DV) orders.
Note: The issuing Certificate Authority (CA) performs validation on orders; OpenSRS does not perform validation directly.
Validation methods
Perform basic, domain-level validation for certificates using one of the following three methods:
| DNS | File |
Email validation
Selecting email validation prompts the vendor to email the validation email address, requesting that they confirm the certificate's details. Complete email validation for DV certificates through the generic email addresses:
- admin@domain.tld
- administrator@domain.tld
- hostmaster@domain.tld
- postmaster@domain.tld
- webmaster@domain.tld
Note: Trustwave orders automatically send the message to all contacts.
DNS validation
Upon submitting the order, OpenSRS provides a string to add to the registration records on the domain. Depending on the CA, this is either a CNAME or a TXT record.
DigiCert orders
DigiCert, Thawte, GeoTrust, and RapidSSL orders use a TXT record for DNS validation. Set the provided TXT records on the domain base for visibility on the domain's public DNS to complete.
Important: The TXT record must be on the base domain for DigiCert DNS validation.
Add the random value verification token from the SSL order page onto the domain's DNS zone as a TXT record on the base domain.
The CA searches for the TXT record using a public DIG tool and confirms the value includes the provided token.
Note: The token starts with a string matching the order date.
Sectigo orders
Sectigo validates orders using a CNAME record. They require a unique string pointing back to Sectigo. Set the record provided under the listed domain name. OpenSRS provides the CNAME record on the SSL order.
Note: The DNS record is valid for 24 hours.
File validation
Upon submitting the order, the portal provides a file download link.
Upload the file to the following directory:
domain.tld/.well-known/pki-validation/fileauth.txt
The CA checks the website for this file and validates the certificate after confirming it is uploaded.
Note: Sectigo authorization file name is an MD5 value instead of fileauth.txt. For Windows IIS servers, you can place a period at the start and end of the folder for a workaround.
Changing validation
Select the preferred method at the initial purchase from the product order in the Reseller Control Panel (RCP). Resellers can change the validation method to an alternate option from the order page while the order is still in progress.
To change the validation method:
- Login to the RCP.
- Navigate to the Trust tab.
- Find the SSL order by searching the common name.
- View the order by selecting the common name.
- Select Edit from the domain validation section.
- Select the alternate method from the domain validation methods dropdown and click Submit.
Polling times
DigiCert frequency
| Every minute | for the first 15 minutes |
| Every five minutes | for an hour |
| Every fifteen minutes | for four hours |
| Every hour | for a day |
| Every four hours | for a week |
| Every twenty hours | for a year |
Sectigo frequency
When the DNS records don't exist during the initial check, further lookups happen at the following times after the initial order:
- 10 minutes after
- 20 minutes after
- 40 minutes after
- 80 minutes after
- 160 minutes after
- 320 minutes after
CAA records
Changes implemented by the certificate industry require the CAs to check for a DNS CAA resource record on validated domains. When there are no CAA records, no restriction is in place. When a CAA record explicitly allows or denies the vendor, the CA must follow the record instructions.
API commands
We provide tools via API for domain-vetted authorization orders.
| get_order_info | |
sw_register | |
| update_dv_auth_check | |
| update_order | |
| process_pending |
Was this article helpful? If not please submit a request here