Demonstrate control over your domain with HTTP Practical Demonstration

Follow these instructions to add and authorize a domain for SSL/TLS certificates. Then, use the HTTP Practical Demonstration DCV method to demonstrate control over the domain in your CertCentral account.

Note: When domain validation can't be done ahead of time, see Domain Validation (Pending Order): Use the HTTP Practical Demonstration DCV Method.

This validation method allows you to demonstrate control over your domain by hosting a .txt file containing a randomly generated token value at a predetermined location on your website. Once the file is created and placed on your site, DigiCert visits the specified URL to confirm the presence of your verification token. Make sure to avoid some of the more Common Mistakes.

For information about other supported DCV methods in CertCentral, see Domain Pre-Validation: Domain Control Validation (DCV) Methods.

Step I: Add and Authorize a Domain for SSL/TLS Certificates

After you've ordered an SSL certificate, you can visit the certificate's Order # details page to see its validation status. You can also see if the order is waiting on domain or organization validation to be completed before it can be issued.

  1. In your CertCentral account, in the sidebar menu, click Certificates > Domains.

    CertCentral Domains

  2. On the Domains page, click New Domain.

    CertCentral Domains

  3. On the New Domain page, under Domain Details, enter the following domain information:

    1. *Domain Name

      In the box, enter the domain name for which the certificates will be requested (e.g., example.com).

    2. *Organization

      In the drop-down list, select the organization to which the domain is assigned.

    CertCentral Domains

  4. Under Validate This Domain For, check the validation types for which you want the domain validated:

    • OV – Normal Organization Validation

    • EV – Extended Organization Validation (EV)*

    Validation Note: Before you can submit a domain for OV and/or EV validation, you must first submit its organization for OV and/or EV validation.

    *In the EV Verified User drop-down list, select an account user that you want to designate as an EV Certificate requests approver.

    Only an EV Verified User can approve Extended Validation (EV) Certificate requests. Note that only users with a job title and valid telephone number appear in the drop-down list.

    Note: The EV Verified User drop-down list box only appears if you checked EV - Extended Organization Validation (EV), and the organization that you selected earlier (step 3) has not been pre-authorized for EV-Extended Organization Validation (EV).

    CertCentral Domains

  5. Under *Domain Control Validation (DCV) Method, select HTTP Practical Demonstration.

    Note: The default DCV method is Verification Email.

    CertCentral Domains

  6. Click Submit for Validation.

Step II: Use HTTP Practical Demonstration to Demonstrate Control Over the Domain

  1. Create Your .txt File:

    1. Under User Actions, in the Your unique verification token box, copy your verification token.

      To copy the value to your clipboard, single click in the text field.

      Note: The unique verification token expires after thirty days. To generate a new token, click the Generate New Token link.

    2. Open a text editor (such as Notepad) and paste in Your unique verification token.

    3. In Your HTTP token URL, the string after pki-validation/ is the name of your .txt file.

      For example, if Your HTTP token URL is http://example.com/.well-known/pki-validation/c7e2ff0c848e4707594066cc860.txt, then, your file name is c7e2ff0c848e4707594066cc860.txt

    4. Save the .txt file from under this name (for example, c7e2ff0c848e4707594066cc860.txt).

    CertCentral Domains

  2. Create the .well-known/pki-validation/ Directory:

    Create the .well-known/pki-validation/ directory on your site and place your .txt file in it.

    Note: On Windows-based servers, the .well-known folder must be created via command line (mkdir .well-known).

  3. Verify the HTTP Token:

    1. In your CertCentral account, in the sidebar menu, click Certificates > Domains.

    2. On the Domains page, click the "Domain Name" link (e.g., example.com).

    3. On the "Domain Name" page (e.g., example.com), at the bottom of the page, click Check HTTP Token.

      You have successfully verified your URL (web page).

  4. Troubleshooting Tips:

    1. Verify the URL matches exactly

      1. Make sure that the URL for your web page matches the DigiCert provided URL.

        http://YourDomain.com,.well-known/pki-validation/[filename].txt

      2. Where YourDomain.com matches the domain that you are validating and [filename].txt matches the unique hash provided by DigiCert under Your HTTP token URL (for example, c7e2ff0c848e4707594066cc860.txt).

        Important: If you are missing a period, a number, or a letter, validation cannot be completed.

        CertCentral Domains

Common Mistakes

To validate your domain using the HTTP Practical Demonstration DCV method, DigiCert provides you with a URL and a token value. The URL does two things:

  • It contains the FQDN (fully qualified domain name) of the domain you want us to validate.

  • It tells us where to look so that we can find the verificationtoken.txt you add the generated random value to.

Below are some of the more common issues we run into when troubleshooting the reason HTTP Practical Demonstration checks fail. The HTTP Practical Demonstration DCV process was designed to keep an unauthorized individual from using a domain they do control to validate and get a certificate for a domain they don't control, such as one of yours.

Don't Modify the URL Provided

If you modify the URL in any way (change to the FQDN, capitalize a lowercase letter, forget to add a period, etc.), we won't find the verificationtoken.txt file with our generated random value in it.

For example, if we provide you with this URL: [http://yourdomain.com]/.well-known/pki-validation/verificationtoken.txt, don't add www ([http://www.yourdomain.com]/.well-known/pki-validation/verificationtoken.txt) or capitalize a letter that wasn't capitalized in the original URL ([http://yourdomain.com]/.well-known/PKI-validation/verificationtoken.txt).

Don't Place the verificationtoken.txt File on a Different Domain or Subdomain

To complete domain control validation for yourdomain.com, place the verificationtoken.txt file on the exact domain you want validated; the one we generate the URL for. We won't look at a different domain or subdomain to find our random token. We only look at the domain you want validated (such as the domain on your certificate order).

For example, if you need yourdomain.com validated so that you can request SSL/TLS certificates for it, we generate a URL for this domain - [http://yourdomain.com]/.well-known/pki-validation/verificationtoken.txt. Don't place the verificationtoken.txt file on sub.yourdomain.com or modify the URL and place it on yourotherdomain.com - it won't work. We can't find the verificationtoken.txt file on these domains - only on yourdomain.com.

yourdomain.com and www.yourdomain.com

If you want us to validate www.yourdomain.com and yourdomain.com, place the verificationtoken.txt file on yourdomain.com. This validates both yourdomain.com and www.yourdomain.com. We won't look at www.yourdomain.com to find the verificationtoken.txt file.

Free Base Domain SAN

If you received a free base domain SAN on your SSL certificate, make sure to place the verificationtoken.txt file on the base domain. We need to validate the domain on the SSL certificate order.

Don't Include Any Additional Content in the verificationtoken.txt File

When you create the verificationtoken.txt file, copy the DigiCert provided token value and paste it in the file. Don't add the word "token" or any other text.

Because we only read the first 2kb of the verificationtoken.txt file, additional text blocks us from validating your control over the domain.

Don't Place the verificationtoken.txt File on a Page with Multiple Redirects

When using the HTTP Practical Demonstration method for domain validation, the verificationtoken.txt file may be placed on a page that contains up to one redirect. With a single redirect, we are still able to locate the verificationtoken.txt file and verify your control over the domain.

For example, you need a certificate for http://example.com, but the page redirects to https://www.example.com. That's okay. You can place the verificationtoken.txt file on the http://example.com page. We will still be able to follow the single redirect to validate your control over http://example.com.

However, if you place the verificationtoken.txt file on a page with multiple redirects, we won't be able to locate the file. Multiple redirects block us from locating the verificationtoken.txt file and validating your control over the domain.

For example, you need a certificate for http://multiple-redirect.com, but the page redirects to https://www.multiple-redirect.com and then redirects again to https://www.single-redirect.com. In this case, you must still place the verificationtoken.txt file on the http://multiple-redirect.com page. However, you will need to disable the second redirect (https://www.single-redirect.com) long enough for us to locate the verificationtoken.txt and validate your control over http://multiple-redirect.com.