Domain Control Validation (DCV) Methods & How to Choose
Secure Sockets Layer/Transport Layer Security (SSL / TLS) certificates are the gold standard in securing online data exchange. But how can you be sure that the website you share your sensitive information with is indeed who they say they are?
Table of Contents
You can trust digital certificates issued by reputable Certificate Authorities (CAs) because they go through a domain control validation (DCV) process, which verifies the legitimacy of the entity requesting the SSL/TLS certificate and the domain ownership for which the certificate is issued.
This article reviews what DCV is, the most common DCV methods, and how to choose an appropriate method- for your certificate application.
What is domain control validation?
CAs perform domain control validation before issuing an SSL/TLS certificate to confirm the entity requesting the certificate is authorized to use the domain in question. The process ensures the party applying for the certificate has the right to secure that domain with the SSL/TLS certificate.
DCV is a critical step in SSL/TLS certificate issuance. The process helps:
- Prevent fraudulent certificate issuance by ensuring CAs only issue digital certificates to legitimate domain owners, establishing trust and security on the internet.
- Verify domain ownership to prevent bad actors from obtaining SSL / TLS certificates for domains they don't own.
- Protect against phishing and man-in-the-middle attacks by preventing criminals from mimicking trusted websites and tricking users into entering sensitive information.
- Ensure data confidentiality and integrity with robust encryption algorithms to protect information transmitted between browsers and website servers.
- Protect online reputation by showing the organization with the SSL / TLS certificate takes security seriously.
The most common DCV methods
CAs use various DCV methods to verify domain ownership. These add flexibility to the process and accommodate different scenarios to ensure secure and reliable issuance of SSL/TLS certificates. Here are the most common:
Email-based validation
The CA sends an email to a predefined email address associated with the domain used to create the certificate signing request (CSR). The email address is typically generic, such as [email protected], [email protected], and [email protected]. The certificate applicant will log in to the account and follow the instructions in the email, such as responding with a validation code or clicking a link in the DCV email to verify it owns the domain.
Email-based validation works for all types of SSL/TLS certificates, including Domain Validation (DV), Organization Validation (OV), and Extended Validation (EV). Domains with private registration may have to use alternative methods of domain control validation.
DNS-based validation
This method requires the certificate applicant to create a specific Domain Name System (DNS) TXT record in the domain's DNS zone file with content and information specified by the CA. Then, the CA's validation system checks the DNS records to verify domain control. DNS validation is typically suitable for DV and OV certificates. It is generally not used for EV certificates but is the preferred method for validating Wildcard TLS certificates.
HTTP-based validation
The certificate applicant uploads a text file with unique content from the CA to its web server's root directory or a location specified by the CA. Then, the CA's validation system makes an HTTP request to the URL to check for the file. HTTP-based validation is generally not used for Wildcard TLS certificates because the method doesn't provide sufficient evidence of control over all the subdomains a certificate may cover, leading to potential security risks.
WHOIS-based validation
When applying for an SSL / TLS certificate, the applicant provides information about the domain (e.g., the owner's name and contact details.) The CA queries the WHOIS database and compares the information with the data provided in the certificate application. If the information matches, the CA considers the validation successful.
This validation method is typically used for DV certificates. However, it's less common for OV and rarely used for EV certificates, which require more rigorous verification processes. If your domain uses WHOIS privacy protection services, you may not be able to use this DCV method.
How to choose the appropriate DCV method
Here are the factors to consider when choosing the right DCV method for your SSL/TLS certificate application:
- Domain type. Most DCV methods are suitable for single-domain TLS certificates. For multi-domain ones, you may use a different DCV method for each listed domain. Meanwhile, Wildcard certificates typically use DNS-based validation.
- Domain configuration. DNS-based validation is a convenient option if you can easily access your DNS records. It also allows for centralized control and efficient validation. The HTTP method is popular among entities with complete control over the web server hosting the domain.
- Trust level. DNS- and HTTP-based validation offer the highest level of trust and security because they require control over domain records or web server content. They're most suitable for EV certificates.
- Certificate type. DV certificates may use email-, DNS-, or HTTP-based validation. OV and EV certificates require more rigorous validation, combining other verification methods with DCV.
Also, consider your use case to determine the best DCV method. For personal, non-commercial, or standard business websites, DV certificates with email- or DNS-based validation provide adequate security. E-commerce sites may require a higher level of trust and security provided by OV or EV certificates, which requires more rigorous validation.
How does the DCV process work?
First, select a DCV method according to your domain type, configuration, and validation preferences. Then, identify a trusted CA from which to purchase your TLS certificate. After you've purchased the certificate, follow the instructions provided by the CA to verify your domain (e.g., clicking on the email validation link, uploading a DNS TXT file, etc.)
Here's how to avoid some common issues during the process:
- Monitor the email addresses used for email validation to avoid delays.
- Plan for potential DNS propagation delays in your implementation timeline.
- Verify you've uploaded a text file with the right content to the correct directory for HTTP-based validation.
After the CA completes DCV, it will issue the SSL / TLS certificate. Follow the instructions provided by the CA to install the certificate on your web server. Track all certificates and monitor their expiration dates to ensure timely renewal and prevent outages or service disruptions.
Streamline your certificate lifecycle management and DCV process
DCV is an essential step in SSL / TLS certificate issuance to ensure applicants are authorized to use domains. The process establishes trust and security for online data exchange, making secure online communications and transactions possible.
However, managing the DCV process in an enterprise environment with thousands of digital certificates is time-consuming, labor-intensive, and error-prone. Besides purchasing your SSL/TLS certificates from a reputable CA, automate Certificate Lifecycle Management with a robust platform, such as the Sectigo Certificate Manager, to minimize errors and delays in the validation process.
Related posts: