File-based domain control validation (http-token)
5 minute read
This article describes how the CertCentral Services API handles requests to validate domains submitted with a domain control validation (DCV) method of http-token and http-token-dynamic.
Note
DigiCert only supports the use of the file-based DCV methods to demonstrate control over fully qualified domain names (FQDNs) exactly as named in the certificate request.
Use one of the other supported DCV methods, such as email, DNS TXT, and CNAME, to:
- Validate wildcard domains (
*.example.com). - Include subdomains in the validation when validating a higher-level domain. For example, if you want to cover
www.example.comwhen validating the higher-level domainexample.com. - Prevalidate entire domains and subdomains.
Certificate order requests
When using the Services API to request DV, OV, and EV TLS/SSL certificates, you can choose file-based DCV by setting the dcv_method request parameter to http-token or http-token-dynamic. Because http-token and http-token-dynamic are not valid DCV methods for wildcard domains, the API handles requests differently when the common_name or dns_names fields include a wildcard domain.
Warning
DV TLS certificates only support thehttp-token DCV method. They do not support the http-token-dynamic DCV method.Non-wildcard domains only
Certificate order requests with common_name and dns_names fields that only contain non-wildcard domains are accepted. To complete domain validation, upload the random value in the API response to each individual FQDN on the order.
http-tokenTo complete domain validation, upload the random value in the API response to each individual FQDN on the order. For example, to validate the domains in the JSON payload below, upload the random value toexample.comandsub.example.com. Example request with non-wildcard domains{ "certificate": { "common_name": "example.com", "dns_names": [ "sub.example.com" ] ... }, "dcv_method": "http-token", ... }http-token-dynamicTo complete domain validation, add a file with a random file name that contains a random value in the API response to each individual FQDN on the order. For example, to validate the domains in the JSON payload below, add a file with a random file name that contains a random value toexample.comandsub.example.com. Example request with non-wildcard domains{ "certificate": { "common_name": "example.com", "dns_names": [ "sub.example.com" ] ... }, "dcv_method": "http-token-dynamic", ... }
Wildcard domains only
For products that allow wildcard domain names, certificate order requests with common_name and dns_name fields containing wildcard domains only (*.example.com) are rejected with the error code invalid_wildcard_dcv_method. To request a certificate that only includes wildcard domains, use a different DCV method (email, dns-txt-token, or dns-cname-token).
Example http-token-dynamic request with wildcard domain
{
"certificate": {
"common_name": "*.example.com",
...
},
"dcv_method": "http-token-dynamic",
...
}
Both wildcard and non-wildcard domains
For products that allow wildcard domain names, certificate order requests with common_name and dns_name fields that contain a combination of wildcard and non-wildcard domains (for example, *.example.com, my.biz.example.com, and example.net) are handled differently depending on whether the order is for a DV or OV/EV certificate.
Note
EV certificates only allow wildcard domains if the right-most domain label is “onion” (*.example.onion). To learn more about ordering a certificate for your .onion address, visit Ordering a .onion certificate from DigiCert.Example http-token request with wildcard and non-wildcard domains
{
"certificate": {
"common_name": "*example.com",
"dns_names": [
"my.biz.example.com"
"example.net"
]
...
},
"dcv_method": "http-token",
...
}
DV certificate orders
DV certificate order requests with common_name and dns_name fields containing a combination of wildcard and non-wildcard domains are rejected with the error code invalid_wildcard_dcv_method. To request a DV certificate that includes wildcard and non-wildcard domains, use a different DCV method (email, dns-txt-token, or dns-cname-token).
OV/EV certificate orders
OV/EV certificate order requests with common_name and dns_name fields that contain a combination of wildcard and non-wildcard domains are accepted.
- Non-wildcard domains (
example.net) are submitted for validation with a DCV method ofhttp-tokenorhttp-token-dynamic.1 To complete DCV checks, upload the token in the API response for each of these domains. - Wildcard domains (
*.example.com) are submitted for validation with a DCV method of email. If the order includes non-wildcard subdomains of the wildcard domain (my.biz.example.com), these subdomains are validated when you complete the email DCV check for the wildcard domain. These subdomains are not individually submitted for file-based DCV.
Note
1For accounts configured to submit base domains for validation
If you request an OV/EV certificate for both a wildcard domain (*.sub.example.com) and a higher-level domain of the wildcard domain (example.com), the shared base domain (example.com) is submitted for validation using email DCV. The DCV method for the base domain is automatically changed to email when you submit your request. This allows DigiCert to honor the account setting to submit the base domain for validation. To validate both domains, complete the email DCV check for the base domain.
Domain prevalidation
The Services API allows you to prevalidate domains for OV and EV certificate requests. Prevalidating domains reduces the number of tasks you must complete before your OV or EV certificate can be issued.
Use these endpoints to submit domains for prevalidation:
- New domains: Add domain
- Existing domains: Submit for validation
When you submit a domain for prevalidation, you choose which DCV method to use to prove control over the domain.
- Using
email,dns-txt-token, ordns-cname-token(recommended) validates the submitted domain and any wildcard domains or subdomains of the submitted domain. - Using
http-tokenorhttp-token-dynamiconly validates the specific FQDN submitted for prevalidation.
Note
Requests to add or submit a wildcard domain (*.example.com) for validation using the http-token or http-token-dynamic DCV methods are rejected with the error code invalid_wildcard_dcv_method.