CertCentral: DNS CNAME DCV method now available for DV certificate orders
In CertCentral and the CertCentral Services API, you can now use the DNS CNAME domain control validation (DCV) method to validate the domains on your DV certificate order.
Note: Before, you could only use the DNS CNAME DCV method to validate the domains on OV and EV certificate orders and when prevalidating domains.
To use the DNS CNAME DCV method on your DV certificate order:
Note: The AuthKey process for generating request tokens for immediate DV certificate issuance does not support the DNS CNAME DCV method. However, you can use the File Auth (http‑token) and DNS TXT (dns‑txt‑token) DCV methods. To learn more, visit DV certificate immediate issuance.
To learn more about using the DNS CNAME DCV method:
CertCentral Services API: Improved List domains endpoint response
To make it easier to find information about the domain control validation (DCV) status for domains in your CertCentral account, we added these response parameters to domain objects in the List domains API response:
dcv_approval_datetime
: Completion date and time of the most recent DCV check for the domain.last_submitted_datetime
: Date and time the domain was last submitted for validation.For more information, see the reference documentation for the List domains endpoint.
Industry changes to file-based DCV (HTTP Practical Demonstration, file auth, file, HTTP token, and HTTP auth)
To comply with new industry standards for the file-based domain control validation (DCV) method, you can only use the file-based DCV to demonstrate control over fully qualified domain names (FQDNs), exactly as named.
To learn more about the industry change, see Domain validation policy changes in 2021.
How does this affect me?
As of November 16, 2021, you must use one of the other supported DCV methods, such as Email, DNS TXT, and CNAME, to:
To learn more about the supported DCV method for DV, OV, and EV certificate requests:
CertCentral: Pending certificate requests and domain prevalidation using file-based DCV
Pending certificate request
If you have a pending certificate request with incomplete file-based DCV checks, you may need to switch DCV methods* or use the file-based DCV method to demonstrate control over every fully qualified domain name, exactly as named, on the request.
*Note: For certificate requests with incomplete file-based DCV checks for wildcard domains, you must use a different DCV method.
To learn more about the supported DCV methods for DV, OV, and EV certificate requests:
Domain prevalidation
If you plan to use the file-based DCV method to prevalidate an entire domain or entire subdomain, you must use a different DCV method.
To learn more about the supported DCV methods for domain prevalidation, see Supported domain control validation (DCV) methods for domain prevalidation.
CertCentral Services API
If you use the CertCentral Services API to order certificates or submit domains for prevalidation using file-based DCV (http-token), this change may affect your API integrations. To learn more, visit File-based domain control validation (http-token).
行业标准变更
从 2019 年 7 月 31 日 (19:30 UTC) 开始,您必须使用 HTTP 实用演示 DCV 方法演示对证书订单上的 IP 地址的控制权。
有关 HTTP 实用演示 DCV 方法的更多信息,请参阅这些说明:
行业标准过去允许使用其他 DCV 方法证明对 IP 地址的控制权。但是,随着投票 SC7 的通过,IP 地址验证法规已更改。
该投票重新定义了验证客户对证书中所列 IP 地址控制权的允许流程和程序。投票 SC7 合规性更改从 2019 年 7 月 31 日 (19:30 UTC) 开始生效。
为了保持合规,从 2019 年 7 月 31 日 (19:30 UTC) 开始,DigiCert 仅允许客户使用 HTTP 实用演示 DCV 方法验证 IP 地址。
移除对 IPv6 的支持
从 2019 年 7 月 31 日 (19:30 UTC) 开始,DigiCert 移除了对 IPv6 地址证书的支持。由于服务器限制,DigiCert 无法连接到 IPv6 地址以验证在客户的 HTTP 实用演示 DCV 方法网站上放置的文件。