Domain control validation (DCV) methods

CertCentral: DigiCert-supported DCV methods for validating domains and IP addresses

To ensure no one else can issue certificates for your domains, industry standards (TLS certificate baseline requirements) require you to demonstrate control over the FQDNs and IP addresses included in your certificates. We refer to this process as Domain Control Validation (DCV).

DigiCert-supported DCV methods

When validating your domains, you can use any of the DigiCert-supported DCV methods.

DCV type	DCV methods
Email-based	Email to DNS TXT contact Email to DNS CAA contact Constructed email
DNS-based	DNS TXT Record - recommended DNS CNAME Record
Website-based	HTTP Practical Demonstration HTTP Practical Demonstration with unique filename
ACME challenges	HTTP-01 DNS-01

Acronyms in this article: Transport Security Layer (TLS), Domain Name System (DNS), extended validation (EV), organization validation (OV), domain validation (DV), fully qualified domain names (FQDNs),

When should I validate my domain?

You may demonstrate control over domains before ordering certificates or while the certificate order is pending. Per industry standards, a domain's validation is valid for 397 days.

Validate domains before ordering certificates (domain prevalidation)
CertCentral features a domain validation process that enables you to demonstrate control over your domains before ordering certificates for them. DigiCert refers to this process as domain prevalidation. Validating the domain ahead of time allows for quicker certificate issuance.
Note: DV certificates don’t support domain prevalidation. To validate domains for a DV certificate, you must do it as part of the order process.
Learn more about prevalidating your domains:
- Validate domains before ordering certificates for them.
Demonstrating control over domains on DV, OV, and EV TSL/SSL certificate orders
CertCentral features a domain validation process that enables you to validate domains on pending certificate orders. When requesting a certificate, you must select a DCV method to demonstrate control over the domains included in the order. On the certificate's Order details page, use the selected DCV method to validate the domains or switch to a different DCV method if needed.
Learn more about validating domains on pending TLS certificate orders:
- Validate the domains on an OV and EV TLS/SSL certificate order.
- Validate the domains on a DV TLS/SSL certificate order.

What happens to my certificate if my domain validation expires?

When DigiCert issues your certificate, it remains valid until it expires or is revoked. Expired domain validation doesn’t affect an issued certificate. However, it does affect certificate renewals, reissues, and duplicates.

Renewals and reissues
When you renew or reissue your certificate, DigiCert checks the validity of the domains on the certificate. If a domain's validation has expired, your order enters a pending state, allowing you to validate your domain before we issue the certificate.
Duplicates
Duplicate certificates are issued immediately. Your domain validation must be valid to request a duplicate certificate. If a domain's validity has expired, you must first reissue your certificate. The certificate reissue process includes steps for revalidating your domains. When the domain validation is updated, you can then request a duplicate certificate.

Decreasing domain validation reuse periods

The CA/Browser Forum has officially voted to amend the TLS Baseline Requirements. They have set a schedule for shortening the lifetime of TLS certificates and the reusability period of domain validation.

Learn more about this industry change.

Table 1. Reduced TLS certificate validity and domain validation reuse timelines

Timeline	Certificate validity	Domain reuse period
From today until March 15, 2026	397 days	397 days
As of March 15, 2026	199 days	199 days
As of March 15, 2027	99 days	99 days
As of March 15, 2029	46 days	9 days
Note: DV certificates don't support domain validation reuse. Each time you order a DV certificate, you must validate the domains on the order, which applies to new orders, renewals, and reissues.

Notice

Tired of manually validating your domains?

Would you like a more straightforward and automated way to keep your domains validated?

Integrate CertCentral with UltraDNS and skip manual domain validation forever.

Integrating CertCentral with UltraDNS enables you to automate the Domain Control Validation (DCV) process. Keeping your domain validations up to date allows for faster certificate issuance.

Learn more about integrating UltraDNS to CertCentral.

Email-based DCV methods

DigiCert supports three email DCV methods: Email to DNS TXT record contact, Email to CAA record contact, and Email to constructed email.

DCV method	Description
Email	To demonstrate control over the domain, the designated email recipient must follow the instructions in a domain approval email. The domain approval process involves going to the provided link and following the instructions on the approval page.
Learn more about using the email-based DCV methods.

DNS-based DCV methods

DigiCert supports two DNS-based DCV methods: DNS TXT record and DNS CNAME record.

DCV method	Description
DNS TXT record	To demonstrate control over the domain, add the DigiCert-generated random value to the domain’s DNS as a TXT record. The domain is validated when DigiCert detects the DNS TXT record containing the random value.
DNS CNAME record	To demonstrate control over the domain, set up your domain's CNAME record. Then, add the static prefix to the hostname field and include the DigiCert URL that contains the random value as the CNAME target. The domain is validated when DigiCert detects the DNS CNAME record containing the random value.
Learn more about using the DNS-based DCV methods.

Website-based DCV methods

DigiCert supports two website-based DCV methods: HTTP Practical Demonstration and HTTP Practical Demonstration with unique filename. Use the HTTP Practical Demonstration DCV methods to demonstrate control over IP addresses and fully qualified domain names (FQDNs) exactly as named.

Validating IPv4 and IPv6 addresses

DigiCert supports using the HTTP Practical Demonstration DCV method for demonstrating control over IPv4 and IPv6 addresses.

DCV method	Description
HTTP Practical Demonstration	To demonstrate control over the domain or IP address, host a file containing a DigiCert-generated random value at a predetermined location on your website. A domain or IP address is validated when DigiCert goes to the predetermined location and confirms the presence of the DigiCert-generated value.
HTTP Practical Demonstration with unique filename	To demonstrate control over the domain or IP address, host a file with a DigiCert-generated filename containing a DigiCert-generated random value at a predetermined location. A domain or IP address is validated when DigiCert goes to the predetermined location and confirms the presence of the DigiCert-generated value. Note: DV certificates don’t support the HTTP Practical Demonstration with unique filename DCV method.
Learn more about using the website-based DCV methods.

DCV method

Description

HTTP Practical Demonstration

To demonstrate control over the domain or IP address, host a file containing a DigiCert-generated random value at a predetermined location on your website. A domain or IP address is validated when DigiCert goes to the predetermined location and confirms the presence of the DigiCert-generated value.

HTTP Practical Demonstration with unique filename

To demonstrate control over the domain or IP address, host a file with a DigiCert-generated filename containing a DigiCert-generated random value at a predetermined location. A domain or IP address is validated when DigiCert goes to the predetermined location and confirms the presence of the DigiCert-generated value.

Note: DV certificates don’t support the HTTP Practical Demonstration with unique filename DCV method.

Learn more about using the website-based DCV methods.

ACME challenges

DigiCert supports two ACME challenges: HTTP-01 (HTTP Practical Demonstration DCV) and DNS-01 (DNS TXT record DCV). Use ACME challenges to validate domains as part of your ACME certificate request, issuance, and installation process.

ACME challenge	Description
HTTP-01 challenge (HTTP Practical Demonstration DCV)	To demonstrate control over your domain, DigiCert gives a random value to your ACME client. The ACME client adds a file containing a DigiCert-generated random value at a predetermined location on your web server. A domain is validated when the ACME client tells DigiCert the file is ready. Then, DigiCert goes to the predetermined location to confirm the presence of the random value. Can I use HTTP-01 to validate IPv4 and IPv6 addresses? No, DigiCert doesn’t support using the HTTP-01 challenge to validate IP addresses. How do I validate my IP addresses? For OV and EV TLS certificates, you have two options: prevalidate your IP addresses and then use ACME, or use the manual certificate request and installation process. Both these options allow you to use the HTTP Practical Demonstration DCV method to validate your IP addresses. For DV certificates, you can’t use ACME to get a DigiCert DV certificate that includes an IP address. Instead, use the manual certificate request and installation process, where you can use HTTP Practical Demonstration to validate your IP addresses.
DNS-01 challenge (DNS TXT record DCV)	To demonstrate control over your domain, you create a DNS TXT record. Then, the ACME client supplies and adds the required DNS validation parameter along with the DigiCert random value to your DNS TXT record. A domain gets validated when DigiCert finds a DNS TXT record for the domain that includes the DigiCert-generated random value. *Use DNS-01 to validate wildcard domains (.example.com)** If your certificate includes a wildcard domain, use DNS-01 to validate wildcard domains as part of your ACME certificate request, issuance, and installation process.
Learn more about using the ACME challenges.

ACME challenge

Description

HTTP-01 challenge (HTTP Practical Demonstration DCV)

To demonstrate control over your domain, DigiCert gives a random value to your ACME client. The ACME client adds a file containing a DigiCert-generated random value at a predetermined location on your web server. A domain is validated when the ACME client tells DigiCert the file is ready. Then, DigiCert goes to the predetermined location to confirm the presence of the random value.

Can I use HTTP-01 to validate IPv4 and IPv6 addresses?

No, DigiCert doesn’t support using the HTTP-01 challenge to validate IP addresses.

How do I validate my IP addresses?

For OV and EV TLS certificates, you have two options: prevalidate your IP addresses and then use ACME, or use the manual certificate request and installation process. Both these options allow you to use the HTTP Practical Demonstration DCV method to validate your IP addresses.
For DV certificates, you can’t use ACME to get a DigiCert DV certificate that includes an IP address. Instead, use the manual certificate request and installation process, where you can use HTTP Practical Demonstration to validate your IP addresses.

DNS-01 challenge (DNS TXT record DCV)

To demonstrate control over your domain, you create a DNS TXT record. Then, the ACME client supplies and adds the required DNS validation parameter along with the DigiCert random value to your DNS TXT record. A domain gets validated when DigiCert finds a DNS TXT record for the domain that includes the DigiCert-generated random value.

Use DNS-01 to validate wildcard domains (*.example.com)

If your certificate includes a wildcard domain, use DNS-01 to validate wildcard domains as part of your ACME certificate request, issuance, and installation process.

Learn more about using the ACME challenges.

In this section: