Every request for enrollment, renewal, reissue, and revoke goes through the domain control validation (DCV) process.
All our APIs support authentication by the more commonly-used DCV email method. Partners who have a DNS level control over their customer's domain can automate the authentication process for domain-validated products. The automation feature is available only with the DNS and file-based authentication methods.
Starting release 2017-5, we also validate all the SANs in your order along with the common name.
Sends an approval request to a registered domain contact.
Using DCV email method
Starting with the 2017-2 release, the email approval link is valid for 30 days. The PIN length is now 26 characters. If customers attempt to use a link sent before 2017-2, they will see an invalid PIN error. To avoid this error, resend the approval email.
Validates a file on your web server to authenticate the domain. This method is available only with enrollment APIs for domain-validated products. You cannot use file-based authentication for revoke and reissue APIs. To enable file-based authentication, contact the API support team or your sales engineer.
Server Name Indication (SNI) is supported during file-based authentication. File-based authentication uses a random number for completing the authentication and does not support the preshared key authentication method.
File-based authentication does not work with TLS 1.0. Your site must support TLS 1.1 or TLS 1.2 for this method to work.
Using file-based authentication
Starting release 2017-7, you must place the fileauth.txt file on both the domain in your order and the domain added for free with your order. For example, if you orderwww.domain.com and get domain.com for free, you must place the secret pin in two places. Namely: http://www.domain.com/well-known/pki-validation/fileauth.txt and http://domain.com/well-known/pki-validation/fileauth.txt
Fileauth.txt sample contents
File authentication for two orders on http(s)://<domain>/.well-known/pki-validation/fileauth.txt:
Validates a DNS entry to authenticate the domain. DNS-based authentication is available for enroll, reissue, renewal, and revoke actions. For enroll, renew, reissue, and revoke DNS-based authentication is available for DV, OV, and EV products. Contact the API support team or your sales engineer to enable DNS-based authentication for your account. DNS-based authentication is not available for code-signing certificates.
DNS authentication methods:
The DNS entry is a TXT record on the requested domain. You can update an existing TXT record or create a new one. The content of TXT record is generated using a shared secret or a random string. The format of this entry is <yyyyMMddHHmmss><secret code>.
In the case of multiple orders, you can add many 64-character <yyyyMMddHHmmss><secret code> entries to the TXT record. Separate each entry with a line break, being careful not to break the 64-character strings.
yyyyMMddHHmmss is a time within the order window (7 days before the order date to the time when the order was placed) and <secret code> is a HMACSHA2 hash of <yyyyMMddHHmmss><CSR> using the shared key.
Example TXT record (new record)
If the domain does not have a DNS TXT record, create one.
auth.scan-test.net. 3600 IN TXT "20170222202651ztkf61glu4h63r88opc9g1n5y5hveqf8r2t7cwuxugdiu72x1y 20170222202651ztkf61glu4h63r88opc9g1n5y5hveqf8r2t7cwuxugdiu72x1y"
Example TXT record (update existing record)
If the domain already has a DNS TXT record, update it with the <yyyyMMddHHmmss><secret code> combination for each order you want to verify.
auth.scan-test.net. 3600 IN TXT "purpose=something mx a:mail.scan-test.net include:servers.scan-test.net ~all 20170222202651ztkf61glu4h63r88opc9g1n5y5hveqf8r2t7cwuxugdiu72x1y 20170222202651ztkf61glu4h63r88opc9g1n5y5hveqf8r2t7cwuxugdiu72x1y"
If you face an issue where CNAME and TXT records cannot be created on the same domain, contact DigiCert to turn on the authorized domain name prefix feature for your account. Once this feature is turned on, add the _dnsauth prefix to all of your TXT record entries for DNS authentication.
_dnsauth.auth.scan-test.net. 3600 IN TXT "20170222202651ztkf61glu4h63r88opc9g1n5y5hveqf8r2t7cwuxugdiu72x1y 20170222202651ztkf61glu4h63r88opc9g1n5y5hveqf8r2t7cwuxugdiu72x1y"
Using DNS-based authentication