Skip to main content

Add and validate a domain using HTTP Practical Demonstration

Add a domain to CertCentral and demonstrate control over it by hosting a file containing a DigiCert-generated random value at a predetermined location on your web server. DigiCert goes to the specified URL to confirm the presence of the random value.

Notice

Use the HTTP Practical Demonstration DCV method to validate a fully qualified domain name (FQDN) exactly as named. To learn more, see Domain Validation Policy Changes.

Before you begin

  • At least one organization must exist in your CertCentral account before adding a domain. See Add an organization to CertCentral.

  • To use the domain in OV, EV, or Private TLS certificates, submit the organization for organization validation before adding the domain.

  • You must have access and permission to add files to the web server for the domain being validated.

  • Port 80 must be open and publicly accessible.

  • Review the limitations of website-based DCV methods in Validate domains using website validation methods before proceeding.

Step I: Add the domain and select HTTP Practical Demonstration as the DCV method

  1. In the CertCentral main menu,

    • For Enterprise, Partner, or Legacy accounts: go to Certificates > Domains.

    • For Subscription accounts: go to Validation > Domains.

  2. On the Domains page, select New Domain.

  3. On the New Domain page, under Domain Details, enter the following:

    • Domain Name: Enter the domain you want to validate.

    • Organization: Select the organization to assign the domain to.

  4. Under Domain control validation (DCV) method, select HTTP Practical Demonstration.

  5. Select Submit for validation.

Step II: Create the validation file and place it on your web server

  1. On the domain details page, in the Domain control validation (DCV) method section, under User actions, copy the value from the Your unique verification token box. The verification token expires after 30 days. To generate a new token, select Generate New Token.

    Notice

    If DigiCert generates two or more unique random values for the same domain, do not be concerned. All values are valid. Use any one of them to complete validation.

  2. Open a text editor such as Notepad and add the verification token as the only content in the file. Do not add extra characters, labels, or line breaks.

  3. Save the file with the name fileauth.txt.

  4. Place the fileauth.txt file on your web server under /.well-known/pki-validation/ . If the /.well-known/pki-validation/ directory does not exist, create it first:

    For Windows-based servers, use the command line (mkdir .well-known ) or set up a virtual directory in IIS.

  5. Confirm the file is publicly accessible at:

    http://[your-domain]/.well-known/pki-validation/fileauth.txt

Step III: Complete domain validation in CertCentral

  1. In the CertCentral main menu,

    • For Enterprise, Partner, or Legacy accounts: go to Certificates > Domains.

    • For Subscription accounts: go to Validation > Domains.

  2. On the Domains page, in the Domain name column, select the domain link.

  3. On the domain details page, in the Domain control validation (DCV) method section under User actions, select Check HTTP Token.

You can run the validation check manually or wait for DigiCert's automatic DCV check, also called DCV polling, to validate the domain automatically.

Notice

You may delete the validation file after you have verified your domain control.

Notice

Validation applies only to the fully qualified domain name as requested. Validating example.com does not validate www.example.com. Validate each domain and subdomain separately.

Common configuration issues

  • The file is placed on a different subdomain than the one being validated. Place the file on the exact FQDN being validated.

  • The file is placed in the wrong directory. The path must be exactly /.well-known/pki-validation/fileauth.txt .

  • Additional text is added to the file. The file must contain only the verification token.

  • Redirects prevent DigiCert from retrieving the file. Redirects must use supported HTTP status codes (301, 302, or 307) and begin with the domain being validated.

  • Port 80 is blocked by a firewall or geographic filtering rule. Add DigiCert IP addresses to your allowlist. See IP addresses DigiCert uses for the HTTP Practical Demonstration check.

Related topics

What's next

Add and validate a domain using HTTP Practical Demonstration with unique filename for environments that centralize validation files across servers using redirects

Dans cette section​: