Don't place verificationtoken.txt on a different domain or subdomain

To complete domain control validation for yourdomain.com, place the verificationtoken.txt file on the exact domain you want validated; the one we generate the URL for. We won’t look at a different domain or subdomain to find our random token. We only look at the domain you want validated—the one specified in your certificate order.

For example, if you need [yourdomain].com validated so that you can get an SSL/TLS certificate for it, we generate a URL for this domain – http://[yourdomain.com]/.well-known/pki-validation/verificationtoken.txt. Don’t place the verificationtoken.txt file on sub.[yourdomain].com or modify the URL and place it on [yourotherdomain].com – it won’t work. We won't look for the verificationtoken.txt file on these domains – only on [yourdomain].com.

yourdomain.com and www.yourdomain.com

If you want us to validate www.[yourdomain].com and [yourdomain].com, place the verificationtoken.txt file on [yourdomain].com. This will validate both [yourdomain].com and www.[yourdomain].com. We won’t look at www.yourdomain.com to find the verificationtoken.txt file.

Free base domain SAN

If you received a free base domain SAN on your SSL/TLS certificate, make sure to place the verificationtoken.txt file on the base domain. We need to validate the domain on the SSL/TLS certificate order.