Demonstrate control over your domain with HTTP Practical Demonstration

Follow these instructions to check the status of your SSL certificate order and use the HTTP Practical Demonstration DCV method to demonstrate control over a domain on the order.

Note: Submitting domains for validation during the order process means certificates will not be issued until domain validation is completed. For immediate certificate issuance, submit domains for pre-validation when possible. See Domain Pre-Validation: Use the HTTP Practical Demonstration DCV Method.

This validation method allows you to demonstrate control over your domain by hosting a .txt file containing a randomly generated token value at a predetermined location on your website. Once the file is created and placed on your site, DigiCert visits the specified URL to confirm the presence of your verification token. Make sure to avoid some of the more Common Mistakes.

For information about other supported domain validation DCV methods for pending orders in CertCentral, see Domain Validation (Pending Order): Domain Control Validation (DCV) Methods.

Step 1: Check the Status of Your Pending Order

After you've ordered an SSL certificate, you can visit the certificate's Order # details page to see its validation status. You can also see if the order is waiting on domain or organization validation to be completed before it can be issued.

  1. In your CertCentral account, in the sidebar menu, click Certificates > Orders.

    CertCentral Orders

  2. On the Orders page, use the filters and advanced search features to locate the pending certificate order you want to view.

    CertCentral Orders

  3. In the Order # column of the certificate order, click the order number link.

  4. On the Order # details page, under Validation in Progress, you can check the order's validation status (e.g., is the order waiting on domain or organization validation to be completed?).

    Note: After validation is completed (domains and organization), the Validation in Progress section no longer appears on the Order # details page.

    CertCentral Orders

Step II: Use HTTP Practical Demonstration to Demonstrate Control Over the Domain

  1. On the Order # details page, in the Validation in Progresssection, under You Need To, locate the domain pending validation and click the domain link.

    Note: When you have multiple domains (SANs) on your order, each one will be listed. Those with a checkmark next to them are validated. Those with a clock icon next to them are pending validation.

    CertCentral Orders

  2. In the Prove Control Over Domain window, in the DCV Method drop-down list, select HTTP Practical Demonstration.

    CertCentral Orders

  3. Create Your .txt File:

    1. In the Token, copy your unique token.

      To copy the value to your clipboard, single click in the text field.

      Note: The unique token expires after thirty days. To generate a new token, click the Generate a New Token link.

    2. Open a text editor (such as Notepad) and paste in your unique Token.

    3. In HTTP practical demonstration URL, the string after pki-validation/ is the name of your .txt file.

      For example, if your HTTP practical demonstration URL is http://example.com/.well-known/pki-validation/c7e2ff0c848e4707594066cc860.txt, then, your file name is c7e2ff0c848e4707594066cc860.txt

    4. Save the .txt file from under this name (for example, c7e2ff0c848e4707594066cc860.txt).

  4. Create the .well-known/pki-validation/ Directory:

    Create the .well-known/pki-validation/ directory on your site and place your .txt file in it.

    Note: On Windows-based servers, the .well-known folder must be created via command line (mkdir .well-known).

  5. Verify the HTTP Token:

    1. In your CertCentral account, in the sidebar menu, click Certificates > Orders.

    2. On the Orders page, in the Order # column of the certificate order, click the order number link.

    3. On the Order # details page, in the Validation in Progresssection, under You Need To, locate the domain and click the domain link.

    4. In the Prove Control Over Domain window, under 2. Check for Token, click Check.

  6. Troubleshooting Tips:

    1. Verify the URL matches exactly

      1. Make sure that the URL for your web page matches the DigiCert provided URL.

        http://YourDomain.com,.well-known/pki-validation/[filename].txt

      2. Where YourDomain.com matches the domain that you are validating and [filename].txt matches the unique hash provided by DigiCert (for example, c7e2ff0c848e4707594066cc860.txt).

        Important: If you are missing a period, a number, or a letter, validation cannot be completed.

        CertCentral Domains

Common Mistakes

To validate your domain using the HTTP Practical Demonstration DCV method, DigiCert provides you with a URL and a token value. The URL does two things:

  • It contains the FQDN (fully qualified domain name) of the domain you want us to validate.

  • It tells us where to look so that we can find the verificationtoken.txt you add the generated random value to.

Below are some of the more common issues we run into when troubleshooting the reason HTTP Practical Demonstration checks fail. The HTTP Practical Demonstration DCV process was designed to keep an unauthorized individual from using a domain they do control to validate and get a certificate for a domain they don't control, such as one of yours.

Don't Modify the URL Provided

If you modify the URL in any way (change to the FQDN, capitalize a lowercase letter, forget to add a period, etc.), we won't find the verificationtoken.txt file with our generated random value in it.

For example, if we provide you with this URL: [http://yourdomain.com]/.well-known/pki-validation/verificationtoken.txt, don't add www ([http://www.yourdomain.com]/.well-known/pki-validation/verificationtoken.txt) or capitalize a letter that wasn't capitalized in the original URL ([http://yourdomain.com]/.well-known/PKI-validation/verificationtoken.txt).

Don't Place the verificationtoken.txt File on a Different Domain or Subdomain

To complete domain control validation for yourdomain.com, place the verificationtoken.txt file on the exact domain you want validated; the one we generate the URL for. We won't look at a different domain or subdomain to find our random token. We only look at the domain you want validated (such as the domain on your certificate order).

For example, if you need yourdomain.com validated so that you can request SSL/TLS certificates for it, we generate a URL for this domain - [http://yourdomain.com]/.well-known/pki-validation/verificationtoken.txt. Don't place the verificationtoken.txt file on sub.yourdomain.com or modify the URL and place it on yourotherdomain.com - it won't work. We can't find the verificationtoken.txt file on these domains - only on yourdomain.com.

yourdomain.com and www.yourdomain.com

If you want us to validate www.yourdomain.com and yourdomain.com, place the verificationtoken.txt file on yourdomain.com. This validates both yourdomain.com and www.yourdomain.com. We won't look at www.yourdomain.com to find the verificationtoken.txt file.

Free Base Domain SAN

If you received a free base domain SAN on your SSL certificate, make sure to place the verificationtoken.txt file on the base domain. We need to validate the domain on the SSL certificate order.

Don't Include Any Additional Content in the verificationtoken.txt File

When you create the verificationtoken.txt file, copy the DigiCert provided token value and paste it in the file. Don't add the word "token" or any other text.

Because we only read the first 2kb of the verificationtoken.txt file, additional text blocks us from validating your control over the domain.

Don't Place the verificationtoken.txt File on a Page with Multiple Redirects

When using the HTTP Practical Demonstration method for domain validation, the verificationtoken.txt file may be placed on a page that contains up to one redirect. With a single redirect, we are still able to locate the verificationtoken.txt file and verify your control over the domain.

For example, you need a certificate for http://example.com, but the page redirects to https://www.example.com. That's okay. You can place the verificationtoken.txt file on the http://example.com page. We will still be able to follow the single redirect to validate your control over http://example.com.

However, if you place the verificationtoken.txt file on a page with multiple redirects, we won't be able to locate the file. Multiple redirects block us from locating the verificationtoken.txt file and validating your control over the domain.

For example, you need a certificate for http://multiple-redirect.com, but the page redirects to https://www.multiple-redirect.com and then redirects again to https://www.single-redirect.com. In this case, you must still place the verificationtoken.txt file on the http://multiple-redirect.com page. However, you will need to disable the second redirect (https://www.single-redirect.com) long enough for us to locate the verificationtoken.txt and validate your control over http://multiple-redirect.com.