CertCentral: DNS CNAME DCV method now available for DV certificate orders
In CertCentral and the CertCentral Services API, you can now use the DNS CNAME domain control validation (DCV) method to validate the domains on your DV certificate order.
Note: Before, you could only use the DNS CNAME DCV method to validate the domains on OV and EV certificate orders and when prevalidating domains.
To use the DNS CNAME DCV method on your DV certificate order:
Note: The AuthKey process for generating request tokens for immediate DV certificate issuance does not support the DNS CNAME DCV method. However, you can use the File Auth (http‑token) and DNS TXT (dns‑txt‑token) DCV methods. To learn more, visit DV certificate immediate issuance.
To learn more about using the DNS CNAME DCV method:
CertCentral Services API: Improved List domains endpoint response
To make it easier to find information about the domain control validation (DCV) status for domains in your CertCentral account, we added these response parameters to domain objects in the List domains API response:
dcv_approval_datetime
: Completion date and time of the most recent DCV check for the domain.last_submitted_datetime
: Date and time the domain was last submitted for validation.For more information, see the reference documentation for the List domains endpoint.
Industry changes to file-based DCV (HTTP Practical Demonstration, file auth, file, HTTP token, and HTTP auth)
To comply with new industry standards for the file-based domain control validation (DCV) method, you can only use the file-based DCV to demonstrate control over fully qualified domain names (FQDNs), exactly as named.
To learn more about the industry change, see Domain validation policy changes in 2021.
How does this affect me?
As of November 16, 2021, you must use one of the other supported DCV methods, such as Email, DNS TXT, and CNAME, to:
To learn more about the supported DCV method for DV, OV, and EV certificate requests:
CertCentral: Pending certificate requests and domain prevalidation using file-based DCV
Pending certificate request
If you have a pending certificate request with incomplete file-based DCV checks, you may need to switch DCV methods* or use the file-based DCV method to demonstrate control over every fully qualified domain name, exactly as named, on the request.
*Note: For certificate requests with incomplete file-based DCV checks for wildcard domains, you must use a different DCV method.
To learn more about the supported DCV methods for DV, OV, and EV certificate requests:
Domain prevalidation
If you plan to use the file-based DCV method to prevalidate an entire domain or entire subdomain, you must use a different DCV method.
To learn more about the supported DCV methods for domain prevalidation, see Supported domain control validation (DCV) methods for domain prevalidation.
CertCentral Services API
If you use the CertCentral Services API to order certificates or submit domains for prevalidation using file-based DCV (http-token), this change may affect your API integrations. To learn more, visit File-based domain control validation (http-token).
Industry standards change
As ofJuly 31, 2019 (19:30 UTC), you must use the HTTP Practical Demonstration DCV method to demonstrate control over IP addresses on your certificate orders.
For more information about the HTTP Practical Demonstration DCV method, see these instructions:
Currently, industry standards used to allow you to use other DCV methods to demonstrate control over your IP address. However, with the passing of Ballot SC7, the regulations for IP address validation changed.
Ballot SC7: Update IP Address Validation Methods
This ballot redefines the permitted processes and procedures for validating the customer's control of an IP Address listed in a certificate. Compliance changes for Ballot SC7 go into effect on July 31, 2019 (19:30 UTC).
To remain compliant, as of July 31, 2019 (19:30 UTC), DigiCert only allows customers to use the HTTP Practical Demonstration DCV method to validate their IP addresses.
Removing Support for IPv6
As of July 31, 2019 (19:30 UTC), DigiCert has removed support for certificates for IPv6 addresses. Due to server limitations, DigiCert is unable to reach out to IPv6 address to verify the file placed on the customer's website for the HTTP Practical Demonstration DCV method.
We fixed a bug where the SSL/TLS certificate Order# details page and Order details panel weren't showing domain control validation as being completed after you finished validating the domains on your certificate order.
Note: This bug didn't stop your certificate orders from being issued after you completed the domain control validation.
Now, when you complete the domain control validation for the domains on your order, the Order# details page and Order details panel for the order show the domain validation as being completed.
(In the sidebar menu, click Certificates > Orders. On the Orders page, in the Order # column of the certificate order, click the order number or Quick View link.)