Use DigiCert-supported domain control validation (DCV) methods
Select a DCV method that aligns with your environment, infrastructure, and automation requirements. DigiCert supports the following DCV methods:
DCV type | DCV methods |
|---|---|
Email-based | Email to DNS TXT record contact, Email to DNS CAA record contact, and Constructed email |
DNS-based | DNS TXT record (recommended), DNS CNAME record |
Website-based | HTTP Practical Demonstration, HTTP Practical Demonstration with unique filename |
ACME challenges | HTTP-01, DNS-01 |
The following table describes each method and its requirements to help you select the most appropriate method for your environment:
Method | How it works | Best for |
|---|---|---|
Email to DNS TXT record contact | DigiCert sends an authorization email to the address in the domain's DNS TXT record | Environments where DNS access is available and a monitored contact email is defined |
Email to DNS CAA record contact | DigiCert sends an authorization email to the address in the domain's CAA record | Environments where a CAA record contact email is already configured |
Constructed email | DigiCert sends authorization emails to standard administrative addresses such as admin@ and webmaster@ | Environments where standard administrative email aliases are monitored |
DNS TXT record | Add a DigiCert-generated random value to the domain's DNS as a TXT record | Most environments. Recommended as the least vulnerable to industry changes. |
DNS CNAME record | Create a CNAME record pointing to a DigiCert validation host | Environments where DNS access is available and the domain uses CNAME routing |
HTTP Practical Demonstration | Place a DigiCert-generated file on the web server at a specific URL | Environments with web server access and open port 80. Supports IPv4 and IPv6 address validation. |
HTTP Practical Demonstration with unique filename | Place a DigiCert-generated file using a unique DigiCert-provided filename | Environments that centralize validation across servers using 302 redirects. Not supported for DV certificates. |
ACME HTTP-01 | ACME client places a validation file on the web server automatically | Automated certificate workflows with web server access and open port 80. This doesn't support IP address validation. |
ACME DNS-01 | ACME client creates a DNS TXT record automatically | Automated certificate workflows with DNS API access. Required for wildcard domain validation. This doesn't support IP address validation. |
Select your method and follow the link to the relevant topic in this chapter.
What's next
Validate domains before or during certificate orders to understand when to use pre-validation versus order-time validation