Skip to main content

Add and validate a domain using DNS CNAME record

Add a domain to CertCentral and validate it by creating a DNS CNAME record that points to a DigiCert validation host. Use this method when the domain has a CNAME record pointing to another domain, for example yourdomain.com pointing to yourdomain.net, or when you prefer a CNAME-based validation approach.

重要

On October 28, 2025, DigiCert ended support for the [random_value] prefix DNS CNAME record configuration. To learn more about this change, see the October 28 change log entry.

To validate the domain:

  • Locate the DigiCert-generated random value on the Order details page or the Domain details page.

  • Create a DNS CNAME record with the hostname _dnsauth.

  • Set the CNAME target to {random_value}.dcv.digicert.com.

  • Save the record and allow DNS propagation.

DigiCert validates the domain when it detects the DNS CNAME record that contains the correct DigiCert-generated random value.

Before you begin

  • At least one organization must exist in your CertCentral account before adding a domain. Domains must be assigned to an organization. See Add an organization to CertCentral.

  • To use the domain in OV, EV, Private TLS/SSL, or Secure Email certificates, submit the organization for organization validation before adding the domain.

  • You must have access and permission to create or modify DNS CNAME records for the domain.

Step I: Add the domain and select DNS CNAME record as the DCV method

  1. In the CertCentral main menu, go to Certificates > Domains.

    For Subscription accounts: In the CertCentral menu, go to Validation > Domains.

  2. On the Domains page, select New Domain.

  3. On the New Domain page, under Domain Details, enter the following:

    • Domain Name: Enter the domain you want to validate.

    • Organization: Select the organization to assign the domain to.

  4. Under Domain control validation (DCV) method, select DNS CNAME Record.

  5. Select Submit for validation.

Step II: Create the DNS CNAME record

  1. On the domain details page, in the Domain control validation (DCV) method section, under User actions, copy the value from the Your unique verification token box.

    The unique verification token expires after 30 days. To generate a new token, select Generate New Token.

    Notice

    If DigiCert generates two or more unique random values for the same domain, do not be concerned. All values are valid. Use any one of them to complete validation.

  2. Go to your DNS provider's site and create a new CNAME record.

    For more detailed instructions for creating or updating a DNS CNAME record, refer to your DNS provider's documentation or the following resources:

  3. In the hostname field, enter _dnsauth.

  4. In the record type field, select CNAME.

  5. In the target host field, enter {random_value}.dcv.digicert.com where {random_value} is the value copied from CertCentral.

    Add .dcv.digicert.com directly to the end of the DigiCert-generated random value. For example: _bs4fk5mhaqwf3902xevxvx.dcv.digicert.com

  6. Select a Time-to-Live (TTL) value or use your DNS provider's default value.

  7. Save the record.

Notice

You may delete the DNS CNAME record after you have verified your domain control.

Step III: Complete domain validation in CertCentral

  1. In the CertCentral main menu, go to Certificates > Domains.

    For Subscription accounts: In the CertCentral menu, go to Validation > Domains.

  2. On the Domains page, in the Domain name column, select the domain link.

  3. On the domain details page, in the Domain control validation (DCV) method section under User actions, select Check CNAME.

You can run the validation check manually or wait for DigiCert's automatic DCV check, also called DCV polling, to validate the domain automatically.

Common configuration issues

  • The _dnsauth prefix is omitted or misspelled in the hostname field. The hostname must be exactly _dnsauth.

  • The CNAME target value is formatted incorrectly. Confirm the target follows the format [random_value].dcv.digicert.com.

  • The CNAME record uses the old [random_value] prefix format. Update to the current _dnsauth prefix format.

  • The CNAME record conflicts with an existing DNS record for the same hostname.

  • DNS propagation is incomplete. Allow propagation time before triggering Check CNAME.

  • The verification token has expired. Select Generate New Token on the domain details page and repeat from Step II, Step 1.

When validation attempts fail, confirm the DNS record is publicly resolvable and matches the value displayed in CertCentral.

Related topics

What's next

Validate domains using Automated Certificate Management Environment (ACME) challenges to automate DNS-based validation using an ACME client

このセクションの内容: