SSL Certificate Alternate Domain Control Validation Methods
When domain ownership needs to be verified for SSL certificate issuance. This article explains alternate domain control validation methods for SSL certificates.
SSL certificates are issued after successful validation of your control of the domain name for which the SSL certificate is being requested. This process is called Domain Control Validation (DCV).
There are three ways to perform this validation:
- Email challenge response
- HTTP based DCV
- DNS CNAME based DCV
Each of these methods are explained below.
Email challenge response
By far, the Email challenge-response is the fastest and easiest method of DCV. This is the default method that is selected automatically at the time of applying for the SSL certificate. To perform DCV using Email challenge-response, you need to select one of the shortlisted email addresses listed below:
- admin@
- administrator@
- hostmaster@
- postmaster@
- webmaster@
Upon receiving the application, the CA system will send an email to the selected email address with a unique validation code. You must follow the link provided in the email and enter the validation code to complete the DCV.
Note that the list of acceptable email addresses is displayed automatically based on the domain name extracted from the CSR you submit. If an email address believed to be on the WHOIS record for the domain is not shown on the list, it means the CA system was unable to extract that email address from a WHOIS query and thus the address cannot be used.
HTTP based DCV
Another method to perform DCV is the HTTP-based DCV which requires a web server running on HTTP (port 80) or on HTTPS (port 443). Your domain must resolve to that server for this method to work.
You need to create a request token and place it in the /.well-known/pki-validation directory on the webserver.
The request token is just a text file that can be created easily by following the instructions given below.
You would need the two hashes (MD5 and SHA256) extracted from your CSR. The instructions to extract the hash values are given at the bottom.
Once you've extracted the CSR hashes, please follow these instructions to create a request token:
- Create a text file with the <SHA256 hash> on the first line
- Save the file with the name as <MD5 hash>.txt
For example, if the hashes are:
md5=F138B9F90340E5A2B6B42D5268649287 sha256=30CD3405C31A0D52FAAC875D2E01B9CF10C6ED82B90469C5FBE9F54440AE0EC0
Then, the name of your text file would be
F138B9F90340E5A2B6B42D5268649287.txt
Here’s a screenshot to illustrate how this would look like:

Note: -- The file must be created using the UPPERCASE formatting of the MD5 hash, as most HTTP servers are case-sensitive. -- The CA system will only look for the UPPERCASE hash filename. The file must be created with a .txt extension. -- The SHA-256 hash within the file is case-insensitive.
This text file is your request token which you need to upload on your web server and place it in the /.well-known/pki-validation directory such that it can be accessed as:
http://example.com/.well-known/pki-validation/F138B9F90340E5A2B6B42D5268649287.txt
*where "example.com" is the domain name for which the SSL certificate is being requested.
The CA system will automatically look for this request token at regular intervals and DCV will be completed as soon as the token is found.
DNS CNAME based DCV
DCV can also be performed by adding a CNAME record in the DNS zone of your domain.
Note: -- A hex (base-16) encoded SHA-256 hash will not fit in a single DNS label because it is too long. -- The SHA-256 hash should therefore be split into two labels, each 32 characters long (i.e. inserting a ‘.’ in the middle of the SHA256 hash value). In the example above, you can see that the SHA256 hash value has been split into two labels (i.e. 30CD3405C31A0D52FAAC875D2E01B9CF and 10C6ED82B90469C5FBE9F54440AE0EC0, each label being 32 characters long).
How to extract the hash values of a CSR:
Use a CSR decoder such as http://www.csrdecoder.com/ to extract the MD5 and SHA256 hashes of your CSR.
Here’s a screenshot to illustrate this:
