Domain Control Validation (DCV) — SSL/TLS
Before a Certificate Authority will issue a certificate for a domain, the requestor must prove they have control over that domain. This process is known as domain control validation (DCV).DCV exceptions
Full setups
If your domain is on a full setup (Cloudflare runs your authoritative nameservers ), we handle DCV automatically on your behalf using a TXT record.
Custom certificates
If your domain is using a custom certificate , you need to handle DCV on your own when you obtain certificates from a CA.
Perform DCV
If your application is on a partial/CNAME setup (someone else runs your authoritative nameservers), you may need to perform DCV.
Apex validation
When you perform DCV through Cloudflare, we recommend that you validate against your domain apex (example.com) instead of individual subdomains (blog.example.com). This recommendation applies even if you do not intend to proxy traffic from your apex domain.
When you validate against the apex, Cloudflare can complete DCV for all subdomains. Otherwise, you will have to validate each subdomain manually.
DCV methods
HTTP
If you are using proxied (orange-clouded) DNS records and can tolerate a few minutes of downtime, Cloudflare can handle DCV by using an HTTP token. This token is available for the Certificate Authority as soon as you create a CNAME record to Cloudflare in your authoritative DNS and you create proxied DNS records for your hostname within Cloudflare.
What happens after you create your records
Cloudflare contacts one of our Certificate Authority providers and asks them to issue certificates for the specified hostname. The CA will then inform Cloudflare that we need to “demonstrate control” of this hostname by returning a $DCV_TOKEN at a specified $DCV_FILENAME; both the token and the filename are randomly generated by the CA and not known to Cloudflare ahead of time.
For example, if you create a new custom hostname for site.example.com, the CA might ask us to return the value ca3-38734555d85e4421beb4a3e6d1645fe6 for a request to http://site.example.com/.well-known/pki-validation/ca3-39f423f095be4983922ca0365308612d.txt". As soon as we receive that value from the CA we make it accessible at our edge and ask the CA to confirm it’s there so that they can complete validation and the certificate order.
Though this process happens relatively quickly, your application may experience a brief period of downtime. If you want to use wildcard certificates or pre-validate your certificate — either to avoid downtime or prevent any issuance errors — use TXT or Email validation.
TXT
TXT record validation requires the creation of a TXT record in the hostname’s authoritative DNS.- API:
txt_nameandtxt_value - Dashboard: When viewing an individual certificate at SSL/TLS > Edge Certificates, refer to the values for Certificate validation TXT name and Certificate validation TXT value.
At your authoritative DNS provider, create a TXT record named the name and containing the value. Once this TXT is in place, validation and certificate issuance will automatically complete.
If you would like to request an immediate recheck,
rather than wait for the next retry
, send another
PATCH request with the same values as your initial PATCH request.
admin@, administrator@, hostmaster@, postmaster@, and webmaster@.
Once you
create an advanced certificate
or
edit the validation_method via the API and use this validation method, you will see the following values after a few seconds:
- API:
emails - Dashboard: When viewing an individual certificate at SSL/TLS > Edge Certificates, refer to the value for Certificate validation email recipients.
The addresses listed in this field will receive an email from support@certvalidate.cloudflare.com. They should either click Review Certificate Request or the https://certvalidate.cloudflare.com hyperlink.
As soon as the domain owner has clicked the link in this email and clicked Approve on the validation page, the certificate will move through the various statuses until it becomes Active.
If you would like to request an immediate recheck,
rather than wait for the next retry
, send another
PATCH request with the same values as your initial PATCH request.
CNAME
If you use Digicert as your Certificate Authority (CA), you can complete DCV with a special CNAME record.Since this method is only available using the API, you need to make a
PATCH request
and set a "validation_method":"cname" parameter.
In the response, you will see two properties inside of the verification_info object: cname and cname_target (you can also see these values in the dashboard by clicking that specific hostname certificate). Then, use these values to add a CNAME record at your authoritative DNS provider.
If you would like to request an immediate recheck,
rather than wait for the next retry
, send another
PATCH request with the same values as your initial PATCH request.
Verify DCV status
To verify the DCV status of a domain, either view the certificate in the dashboard or use the Verification Status endpoint.
A status of active means that the certificate has been deployed to Cloudflare’s edge network and will be served as soon as HTTP traffic is proxied to Cloudflare.
Update DCV method for an active certificate
You cannot update the DCV method for an active certificate. To update the DCV method for a subdomain, wait until the DCV expires and then change the DCV method.
Renew certificates issued by DCV
If you are using a proxied hostname, new certificates are automatically validated via HTTP .
If you need to use another validation method — for example, if you are using wildcard certificates or certificates with multiple SANs — you need to repeat the DCV process with your chosen method.