Skip to main content

Add and validate a domain using DNS TXT record

Add a domain to CertCentral and demonstrate control over it by creating a DNS TXT record that includes a DigiCert-generated random value. When the DNS TXT record is ready, DigiCert searches the domain's DNS records to confirm the presence of the random value.

Notice

The DNS TXT record method is the least vulnerable to future industry changes. If you are deciding which DCV method to use or looking to switch, DigiCert recommends this method.

Before you begin

  • At least one organization must exist in your CertCentral account before adding a domain. Domains must be assigned to an organization. See Add an organization to CertCentral.

  • To use the domain in OV, EV, Private TLS/SSL, or Secure Email certificates, submit the organization for organization validation before adding the domain.

  • You must have access and permission to create or modify DNS TXT records for the domain.

Step I: Add the domain and select DNS TXT record as the DCV method

  1. In the CertCentral main menu, go to Certificates > Domains.

    For Subscription accounts: In the CertCentral menu, go to Validation > Domains.

  2. On the Domains page, select New Domain.

  3. On the New Domain page, under Domain Details, enter the following:

    • Domain Name: Enter the domain you want to validate.

    • Organization: Select the organization to assign the domain to.

  4. Under Domain control validation (DCV) method, select DNS TXT Record.

  5. Select Submit for validation.

Step II: Create the DNS TXT record

  1. On the domain details page, in the Domain control validation (DCV) method section, under User actions, copy the value from the Your unique verification token box.

    The unique verification token expires after 30 days. To generate a new token, select Generate New Token.

    Notice

    If DigiCert generates two or more unique random values for the same domain, do not be concerned. All values are valid. Use any one of them to complete validation.

  2. Go to your DNS provider's site and create a new TXT record.

    For more detailed instructions for creating or updating a DNS TXT record, refer to your DNS provider's documentation or the following resources:

  3. In the TXT Value field, enter the verification token copied from CertCentral. Do not add extra characters or modify the value.

  4. In the Host field, enter the correct value based on what you are validating:

    • Base domain (yourdomain.com): Leave the field blank or use the @ symbol, depending on your DNS provider's requirements.

    • Subdomain (sub.yourdomain.com): Enter the subdomain you are validating, for example sub.yourdomain.

  5. In the record type field, select TXT.

  6. Select a Time-to-Live (TTL) value or use your DNS provider's default value.

  7. Save the record.

Notice

You may delete the DNS TXT record after you have verified your domain control.

Step III: Complete domain validation in CertCentral

  1. In the CertCentral main menu, go to Certificates > Domains.

    For Subscription accounts: In the CertCentral menu, go to Validation > Domains.

  2. On the Domains page, in the Domain name column, select the domain link.

  3. On the domain details page, in the Domain control validation (DCV) method section under User actions, select Check TXT.

You can run the validation check manually or wait for DigiCert's automatic DCV check, also called DCV polling, to validate the domain automatically.

Common configuration issues

  • The TXT record is created on the wrong hostname: confirm the Host field value matches the domain being validated.

  • The verification token is copied incorrectly or modified: copy the exact value from CertCentral without changes.

  • Additional characters are added to the record value: the TXT Value field must contain only the verification token.

  • DNS propagation is incomplete: allow propagation time before triggering Check TXT.

  • The verification token has expired: select Generate New Token on the domain details page and repeat from Step II, Step 1.

When validation does not complete, confirm the record is publicly resolvable and matches the value displayed in CertCentral. Retrieve a new value if the original has expired.

Related topics

What's next

Add and validate a domain using DNS CNAME record as an alternative DNS validation method that points to a DigiCert-hosted endpoint

Dans cette section​: