Use DigiCert-supported domain control validation (DCV) methods
Select a DCV method that aligns with your environment, infrastructure, and automation requirements. DigiCert supports the following DCV methods:
DCV type | DCV Methods |
|---|---|
Email-based | Email to DNS TXT record contact, Email to DNS CAA record contact, Constructed email |
DNS-based | DNS TXT record (recommended), DNS CNAME record |
Website-based | HTTP Practical Demonstration, HTTP Practical Demonstration with unique filename |
ACME challenges | HTTP-01, DNS-01 |
The following table describes each method and its requirements to help you select the most appropriate method for your environment:
Method | How it works | Best for |
|---|---|---|
Email to DNS TXT record contact | DigiCert sends an authorization email to the address in the domain's DNS TXT record | Environments where DNS access is available and a monitored contact email is defined |
Email to DNS CAA record contact | DigiCert sends an authorization email to the address in the domain's CAA record | Environments where a CAA record contact email is already configured |
Constructed email | DigiCert sends authorization emails to standard administrative addresses such as admin@ and webmaster@ | Environments where standard administrative email aliases are monitored |
DNS TXT record | Add a DigiCert-generated random value to the domain's DNS as a TXT record | Most environments. Recommended as the least vulnerable to industry changes. |
DNS CNAME record | Create a CNAME record pointing to a DigiCert validation host | Environments where DNS access is available and the domain uses CNAME routing |
HTTP Practical Demonstration | Place a DigiCert-generated file on the web server at a specific URL | Environments with web server access and open port 80. Supports IPv4 and IPv6 address validation. |
HTTP Practical Demonstration with unique filename | Place a DigiCert-generated file using a unique DigiCert-provided filename | Environments that centralize validation across servers using 302 redirects. Not supported for DV certificates. |
ACME HTTP-01 | ACME client places a validation file on the web server automatically | Automated certificate workflows with web server access and open port 80. Does not support IP address validation. |
ACME DNS-01 | ACME client creates a DNS TXT record automatically | Automated certificate workflows with DNS API access. Required for wildcard domain validation. Does not support IP address validation. |
Select your method and follow the link to the relevant topic in this chapter.
What's next
Validate domains before or during certificate orders to understand when to use prevalidation versus order-time validation