Website Security Solutions | Latest Guides | Blog

Just like with DV and EV SSL certificates, one of the crucial checks for Organisation Validated SSL is Domain Verification. This is where the Certificate Authority (CA) must verify that your organisation owns the domain that you are trying to secure.

How Do I Show Domain Ownership?

To satisfy the Domain Verification requirement you must simply prove that your organisation owns the domain that was listed on your Certificate Request.

There are several ways to do this, but the CA is going to start by looking at your domain’s WHOIS registry. WHOIS, is an internet database that stores domain registrar information. For this approach to work the WHOIS record must be publicly available. The CA will send a message to any email address listed on your WHOIS.

Since the GDPR has come into effect, many registrars have closed their WHOIS look ups or have fully redacted their client’s information on them, however some registrar’s WHOIS data is still visible and in use. If the CA is able to locate an email address from the WHOIS, they’ll send an email to that address. Once the steps listed in the email have been completed, you’ve satisfied this requirement.

The impacts of GDPR on WHOIS are still be hotly debated, so until ICANN and the CAB Forum can come up with a workaround there are a pair of other ways to satisfy the Domain Verification requirement.


Proof of Right Email

The CA can also use one of five default email addresses listed below to verify domain ownership:

  • Admin@yourdomain.com
  • Administrator@yourdomain.com
  • Webmaster@yourdomain.com
  • Hostmaster@yourdomain.com
  • Postmaster@yourdomain.com



File-Based Authentication

The CA provides you with a text file that contains a unique value. You just need to add 2 sub-folders to the publicly accessible directory for your domain and then put the text-file into those folders.

  • Folder #1: Must be named exactly “.well-known”
  • Folder #2: Must be created inside of Folder #1 and named exactly “pki-validation”

The goal of this validation method is to see the contents of your text file when you navigate to the following URL in your browser:
http:// yourdomain.com/.well-known/pki-validation/unique_filename.txt



DNS CNAME-Based Authentication (Comodo)

Comodo will provide you with two unique hash values that will make up your CNAME record. You must use the following format:

  • Hostname Value: unique_value_1.yourdomain.com
  • Points To Value: unique_value_2.comodoca.com




DNS TXT-Based Authentication (GeoTrust/Thawte/RapidSSL/DigiCert)

The CA provides you with a unique value that you will input into your DNS settings as a TXT record. The TXT record must use the following format:

  • The Host Name Value: Left blank or insert the @ symbol.
  • The TXT Value: The unique value as given by the CA.




Legal Opinion Letter

As with most other requirements, a Legal Opinion Letter (also known as a Professional Opinion Letter or POL) will satisfy this requirement. You need only get an attorney or accountant to sign one for you and the CA will accept it as proof of domain ownership.



All of these methods will satisfy the Domain Verification requirement.


Author: Paul Baka
Published:

    Next Guide...
    Organisation Final Verification Call

    The Final Verification call is the last requirement for an Organisation Validated SSL certificate. It’s simple, the Certificate Authority (CA) will call the verified number associated with your organisation to verify the details of the order. How Do I Complete the Final Verification Call? To finish t…