DNS-based DCV methods
When using the DNS-based domain control validation (DCV) methods, you must repeat the process each time you validate a domain.
Create the DNS TXT/CNAME record.
Add the DigiCert-generated random value to the record.
A domain gets validated when DigiCert finds the DNS record with the DigiCert-generated random value.
DigiCert supports two DCV methods:
Least vulnerable to industry changes
The DNS TXT record is the least vulnerable to industry changes. If you're trying to decide which DCV method to use or looking to switch, DigiCert recommends using this one.
Acronyms in this article: Domain Name System (DNS), organization validation (OV), extended validation (EV), domain validation (DV), Transport Security Layer (TLS), text (TXT), canonical name (CNAME)
DNS TXT record
DigiCert checks to see if the domain has a DNS TXT record with a DigiCert-generated random value. To use this DCV method, you must have access and permission to modify the domain's DNS record.
Create your domain’s DNS TXT record
Go to your DNS provider’s site and create a new TXT record.
For more detailed instructions for creating or updating a DNS TXT record, try the following resources:
Your DNS provider's documentation
DigiCert knowledge base for articles like these:
In the TXT Value field, enter the verification code you copied from your CertCentral account.
Concerning the Host field:
Base domain: (your-domain)
Leave the Host field blank or use the @ symbol, depending on your DNS provider's requirements.
Subdomain: (sub.your-domain)
In the Host field, enter the subdomain that you’re validating.
In the record type field (or equivalent), select TXT.
Select a Time-to-Live (TTL) value or use your DNS provider's default value.
Save the record.
Note: When DigiCert verifies your domain control, you may delete the DNS TXT record.
What’s next
When ready, DigiCert checks for a DNS TXT record for the domain that includes the DigiCert-generated random value. If the check is successful, the domain is validated, and you can order a certificate for it.
You can run the check manually or wait for DigiCert's automatic domain control validation (DCV) check, also called DCV polling, to validate the domain. DCV polling can eliminate the need to run the validation checks manually.
Learn about DigiCert's automatic domain control validation checks.
DNS CNAME record
If your domain has a CNAME record pointing to another domain (for example, yourdomain.com points to yourdomain.net), use this method to validate your domain.
DigiCert checks to see if the domain has a DNS CNAME record with a DigiCert-generated random value. To use this DCV method, you must have access and permission to modify the domain's DNS record.
Create the DNS CNAME record with the static prefix _dnsauth
Go to your DNS provider’s site and create a new CNAME record.
In the hostname field (or equivalent), enter
_dnsauth.In the record type field (or equivalent), select CNAME.
In the target host field (or equivalent), enter
[random_value].dcv.digicert.comto point the CNAME record to dcv.digicert.com.Select a Time-to-Live (TTL) value or use your DNS provider's default value.
Save the record.
Note: When DigiCert verifies your domain control, you may delete the DNS CNAME record.
What's next
When ready, DigiCert checks for a DNS CNAME record for the domain that includes the DigiCert-generated random value. If the check is successful, the domain is validated, and you can order a certificate for it.
You can run the check manually or wait for DigiCert's automatic domain control validation (DCV) check, also called DCV polling, to validate the domain. DCV polling can eliminate the need to run the validation checks manually.
Learn about DigiCert's automatic domain control validation checks.
Resources
DNS TXT:
DNS CNAME: