Skip to main content

CertCentral Domain validation scope settings

By default, CertCentral sets your domain validation scope for validation through the TLS/SSL certificate request process to Submit base domains for validation. Validating the base domain also validates all that domain’s subdomains, reducing the domain validation you must do to get your certificates.

However, you can update the domain validation scope settings as needed to align with the domain validation process for your organization. You have two options: submit base domains or the exact domain names for validation.

Note

These settings do not apply to the domain prevalidation process. For domain prevalidation, you always submit the domain name you want to validate. This means you always validate the exact domain name. To learn more about domain prevalidation, see Domain prevalidation.

Configure the domain validation scope for TLS/SSL certificate requests

  1. In CertCentral, in the left menu, go to Settings > Preferences.

  2. On the Preferences page, expand Advanced Settings.

  3. In the Domain Control Validation (DCV) section, under Domain validation scope, select one of the following options:

    • Submit base domains for validation

      This option allows you to validate the domains on the order at the base domain level. Validating the base domain also validates all subdomains of the base domain.

      For example, you add sub.subdomain.example.com, mail.example.com, and example.domain.com. Only the base domains are submitted for validation: example.com and domain.com.

    • Submit exact domain names for validation

      This option allows you to validate domains on the order exactly as they are named.

      For example, you add sub.subdomain.example.com, mail.example.com, and example.domain.com. Each domain is submitted for validation exactly as named: sub.subdomain.example.com, mail.example.com, and example.domain.com.

  4. Allow users to define the validation scope and override these settings

    Instead of changing the account DCV scope settings for a new certificate order or reissue, the certificate requestor can change the DCV scope for that specific certificate request.

    • To add this option to your TSL/SSL certificate request forms, check Allow users to define the validation scope and override settings.

    • To remove this option from your TSL/SSL certificate request forms, uncheck Allow users to define the validation scope and override settings.

    Note

    Domain validation scope settings do not restrict orders submitted through the CertCentral Services API. API clients can override these settings by adding the certificate_dcv_scope parameter to their request. This parameter sets a custom DCV scope for the order.

  5. When done, go to the bottom of the page and select Save Settings.

What’s next

The next time you request or reissue a TLS certificate, the request form and domain validation scope for the request will match these settings.