Skip to main content

Add and validate a domain using HTTP Practical Demonstration

Add a domain to CertCentral and demonstrate control by hosting a DigiCert-generated random-value file in a predetermined web server location. DigiCert retrieves the file from the specified URL to confirm the random value.

Notice

Use the HTTP Practical Demonstration DCV method to validate a fully qualified domain name (FQDN) exactly as named. To learn more, see Domain Validation Policy Changes.

Before you begin

  • At least one organization must exist in your CertCentral account before adding a domain. See Add an organization to CertCentral.

  • To use the domain in OV, EV, or Private TLS certificates, submit the organization for organization validation before adding the domain.

  • You must have access and permission to add files to the web server for the domain being validated.

  • Port 80 must be open and publicly accessible.

  • Review the limitations of website-based DCV methods in validate domains using website validation methods before proceeding.

Step I: Add the domain and select HTTP Practical Demonstration as the DCV method

  1. In the CertCentral main menu,

    • For Enterprise, Partner, or Legacy accounts: go to Certificates > Domains.

    • For Subscription accounts: go to Validation > Domains.

  2. On the Domains page, select New Domain.

  3. On the New Domain page, under Domain Details, enter the following:

    • Domain Name: Enter the domain you want to validate.

    • Organization: Select the organization to assign the domain to.

  4. Under the Domain control validation (DCV) method, select HTTP Practical Demonstration.

  5. Select Submit for validation.

Step II: Create the validation file and place it on your web server

  1. On the domain details page, in the Domain control validation (DCV) method section, under User actions, copy the value from the Your unique verification token box.

    The verification token expires after 30 days. To generate a new token, select Generate New Token.

    Notice

    If DigiCert generates two or more unique random values for the same domain, don’t be concerned. All values are valid. Use any one of them to complete validation.

  2. Open a text editor such as Notepad and add the verification token to the file. Don’t add extra characters, labels, or line breaks.

  3. Save the file with the name fileauth.txt.

  4. Place the file on your web server under /.well-known/pki-validation/. If the /.well-known/pki-validation/ directory doesn’t exist, create it first:

    For Windows-based servers, use the command line (mkdir .well-known ) or set up a virtual directory in IIS.

  5. Confirm the file is publicly accessible at:

    http://[your-domain]/.well-known/pki-validation/fileauth.txt

Step III: Complete domain validation in CertCentral

  1. In the CertCentral main menu,

    • For Enterprise, Partner, or Legacy accounts: go to Certificates > Domains.

    • For Subscription accounts: go to Validation > Domains.

  2. On the Domains page, in the Domain name column, select the domain link.

  3. On the domain details page, in the Domain control validation (DCV) method section under User actions, select Check HTTP Token.

You can run the validation check manually or wait for DigiCert's automatic DCV check, also called DCV polling, to validate the domain automatically.

Notice

After domain control has been verified, the validation file can be deleted.

Notice

Validation applies to the requested fully qualified domain name (FQDN). Validating example.com doesn’t validate www.example.com. Validate each domain and subdomain separately.

Common configuration issues

  • The file is placed on a different subdomain than the one being validated. Place the file on the exact FQDN being validated.

  • The file is placed in the wrong directory. The path must be exactly /.well-known/pki-validation/fileauth.txt.

  • The file contains extra characters or text. Remove all content except the verification token.

  • Redirects prevent DigiCert from retrieving the file. Redirects must use supported HTTP status codes (301, 302, or 307) and begin with the domain being validated.

  • A firewall or geographic filtering rule blocks port 80. Add DigiCert IP addresses to your allowlist. See IP addresses DigiCert uses for the HTTP Practical Demonstration check.

What's next

Add and validate a domain using HTTP Practical Demonstration with unique filename for environments that centralize validation files across servers using redirects

In this section: