Skip to main content

Use DNS CNAME to validate domains on a pending DV TLS certificate

Demonstrate control over the domains on your DV TLS/SSL certificate order using a Domain Name System (DNS) Canonical Name (CNAME) record

Use these instructions to validate a domain using the DNS CNAME domain control validation (DCV) method. In the domain's DNS as a CNAME record, add _dnsauth in the hostname field. Then, add [random_value].dcv.digicert.com to the target host field, to point the random value and domain to DigiCert at dcv.digicert.com.

For information about this DCV method and other DCV methods, see DV TLS certificate domain control validation (DCV) methods.

Use DNS CNAME record to demonstrate control over domains on a DV TLS certificate

  1. In your CertCentral account, go to the Order # details page.

    1. In the left main menu, go to Certificates > Orders.

    2. On the Orders page, in the Order # column, select the certificate's order number link.

    3. For CertCentral Subscription accounts, the steps to access the Order # detail page are different.

      1. In the left menu, go to My Digital Trust Products > Certificates.

      2. On the Certificates page, in the Order # column, select the certificate's order number link.

  2. On the Order # details page, in the Certificate status section, check the order's issuance status. See if the order is waiting on domain or organization validation to be finished.

    Once validation is complete, the Certificate status section no longer appears on the Order # details page.

  3. Under What do you need to do, select the Prove control over domains link.

  4. In the Prove control of your domain window, in the Domain control validation (DCV) method menu, select DNS CNAME Record and then select Save.

  5. Under 2. Add the DigiCert provided token to your CNAME record, in the order token box, copy the DigiCert-provided random value.

    The random value expires in 30 days.

  6. Use one of these options to create your DNS CNAME records

    1. Option 1 (preferred): Create the DNS CNAME record with the static prefix _dnsauth

      1. Go to your DNS provider’s site and create a new CNAME record.

      2. In the hostname field (or equivalent), enter _dnsauth.

      3. In the record type field (or equivalent), select CNAME.

      4. In the target host field (or equivalent), enter [random_value].dcv.digicert.com to point the CNAME record to dcv.digicert.com.

      5. Select a Time-to-Live (TTL) value or use your DNS provider's default value.

      6. Save the record.

    2. Option 2: Create the DNS CNAME record with the [random_value] prefix

      Important

      On October 28, 2025, DigiCert is ending support for the [random_value] prefix DNS CNAME record configuration. To learn more about this change, see the October 28 change log entry.

      1. Go to your DNS provider’s site and create a new CNAME record.

      2. In the hostname field (or equivalent), enter the random value that you copied from your CertCentral account.

      3. In the record type field (or equivalent), select CNAME.

      4. In the target host field (or equivalent), enter dcv.digicert.com to point the CNAME record to dcv.digicert.com.

      5. Select a Time-to-Live (TTL) value or use your DNS provider's default value.

      6. Save the record.

  7. Complete domain validation

    1. In your CertCentral account, go to the certificate's Order # details page.

      1. In the left main menu, go to Certificate > Orders.

      2. On the Orders page, in the Order # column, select the certificate's order number link.

      For CertCentral Subscription accounts:

      1. In the left menu, go to My Digital Trust Products > Certificates.

      2. On the Certificates page, in the Order # column, select the certificate's order number link.

    2. On the Order # details page, in the Certificate status section, under What do you need to do, select the Prove control over domains link.

    3. In the Prove control over domain window, under step 5. Complete domain validation, select Check site.

In this section: