Help Center> Cloud Certificate & Manager> Getting Started> Purchasing an SSL Certificate> Step 3: Verifying the Domain Ownership
View PDF

Step 3: Verifying the Domain Ownership

After certificate application is submitted, the associated domain needs to be verified. After you request approval from CA, you need to work with the CA to verify your ownership of the associated domain. After you complete the verification and the CA approves the verification, the status of your certificate will then change.

If you do not complete the domain ownership verification, your certificate will remain in the Pending domain name verification state.

You can verify your domain ownership by any of the following methods:

Figure 1 Domain ownership verification

Prerequisites

  • The domain name has been licensed. Obtain the license for the domain name because the domain name verification will fail if the domain name has not been licensed.
  • Verification by file: You have obtained the account and password for logging in to the server.
  • Verification by email: You have obtained the account and password for logging in to the domain name administrator's mailbox. For details, see How Do I Query and Verify the Email Address of the Domain Administrator?
  • Verification by DNS: You have obtained an account and password for the management console of your DNS provider.
  • The certificate must be in the Pending domain name verification state.

Constraints

  • For IP address SSL certificates, only file verification is available.
  • For DV and basic DV certificates (GeoTrust entry-level SSL certificates and DigiCert free SSL certificates), only DNS verification is supported.
  • Manual DNS verification can be performed only on your domain name management platform by following the instructions provided by the domain name service provider.

Automatic DNS Verification

You are required to verify domain ownership on the platform hosting your domain name by resolving a specific DNS record.

Automatic DNS verification: The system automatically adds DNS records for verification.

The system performs automatic DNS verification in the following scenarios:

  • You have purchased an OV, OV Pro, EV, or EV Pro certificate (all of the following conditions must be met).
    • Single-domain certificates
    • Domain names you apply for on HUAWEI CLOUD
    • Domain names that have been resolved by HUAWEI CLOUD DNS
    • Automatic DNS verification selected for Domain Name Verification Method when you apply for a certificate
  • You have purchased the DV or basic DV certificates (all of the following conditions must be met).
    • Single-domain certificates
    • Domain names you apply for on HUAWEI CLOUD
    • Domain names that have been resolved by HUAWEI CLOUD DNS

Please wait for the system to perform automatic DNS verification. After the DNS verification is complete, the CA needs to review the DNS verification information within two to three working days. After the DNS verification information is approved, the certificate enters the next state.

Manual DNS Verification

You are required to verify domain ownership on the platform hosting your domain name by resolving a specific DNS record.

This part describes how to host your domain names on HUAWEI CLOUD DNS and complete DNS verification. Refer to this part if you are managing your domain name on HUAWEI CLOUD.

  • You need to modify DNS records on your domain management platform for the DNS record to take effect.
  • If your domain name is hosted on other platforms, such as www.net.cn, www.xinnet.com, and www.dnspod.cn, verify your domain name by either of the following methods:
    • Method 1: Go to the platform hosting your domain name and complete the DNS verification by following the resolution method required by the platform. For example, if the domain name is hosted on Alibaba Cloud, perform related configurations on the DNS console of Alibaba Cloud.
    • Method 2: Use HUAWEI CLOUD Domain Name Service (DNS) to host your domain name, and then perform the verification by following the instructions in this topic.

    We recommend the second method so that you can complete verification quickly and get your certificate issued faster.

  • If you purchase a multi-domain certificate and select verification by DNS, you need to perform verification by DNS separately for each domain name.

(Optional) Step 1: Hosting Domain Name on HUAWEI CLOUD DNS

If your domain names are not hosted on HUAWEI CLOUD, are you willing to migrate them to HUAWEI CLOUD?

If your domain name has been managed on HUAWEI CLOUD, skip this step.

Step 2: Obtaining the Host Record and Record Value of the Domain Name

  1. Log in to the management console.
  2. Go to the domain name verification page by following the steps in Figure 2.
    Figure 2 Navigation path for accessing the domain name verification page
  3. On the Verify Domain Name page, view the content for Host Record, Record Type, and Record Value. Figure 3 shows an example.
    If Host Record, Record Type, and Record Value are not displayed, log in to the mailbox to view. The mailbox is the one you provide during certificate application.
    Figure 3 Viewing a host record

Step 3: Verifying Domain Ownership Using HUAWEI CLOUD DNS

As an example, the following shows how to add a TXT record 2019030700000022ams1xbyevdn4jvahact9xzpicb565k9443mryw2qe99mbzpb for domain name domain3.com. The procedure to verify domain ownership by DNS is similar.

  1. Log in to the management console.
  2. Choose Domain Name Service under Network to go to the Domain Name Service page.
  3. In the navigation pane on the left, choose DNS Resolution > Public Zones. Then click the desired domain name in the list.
  4. In the domain name list on the Public Zones page, click the added domain name (or the primary domain name for a multi-domain certificate) to go to the record set page.
  5. In the upper right corner of the page, click Add Record Set. Figure 4 shows an example.

    If there is a TXT record of domain name domain3.com in the domain name list, click Modify in the Operation column. Modify the record in the displayed Modify Record Set dialog box.

    Figure 4 Adding a record set
    • Name: Enter the prefix of the host record returned by the domain name service provider on the domain name verification page.

      The returned host record varies depending on the domain name service provider. The following are two examples:

      Example:
      • If the host record returned by the domain name service provider is _dnsauth.domain3.com, set Name to _dnsauth.
      • If the host record returned by the domain name service provider is domain3.com, leave Name empty.
    • Type: Select TXT – Specify text records.
    • Line: Select Default.
    • TTL (s): The recommended value is 5 min. A larger TTL value will make it slower for synchronization and update of DNS records.
    • Value: Enter the record value returned by the domain name service provider on the domain ownership verification page.

      Record values must be quoted with quotation marks and then pasted in the text box.

    • Keep other settings unchanged.
  6. Click OK.
    If the status of the record set is Normal, the record set is added successfully.
    • DNS configuration records can be deleted only after the certificate is issued or revoked.
    • Check whether the DNS record is correctly configured. If not, the certificate cannot be issued.
  7. After the verification is complete, additional time is required for the CA to verify your domain name. During this period, the certificate is in the Pending domain name verification state.

    The certificate enters the Pending organization verification state only after the CA has confirmed your domain ownership.

Checking Whether Domain Name Verification Takes Effect

  1. On the Windows menu, click Start and enter cmd to start the command dialog box.
  2. Run the following command in the cmd dialog box to check whether the configuration of domain name ownership verification takes effect:

    nslookup -q=TXT xxx

    xxx indicates the Host Record value returned by the domain name service provider.

    • If the record value in the command output (value of text) is the same as that returned by the domain name service provider, the configuration of domain name ownership verification has taken effect. Figure 5 shows an example.
      Figure 5 Effective configuration of domain name ownership verification
    • If the command output does not contain a TXT record and Non-existent domain is displayed, the configuration does not take effect.
      Figure 6 Non-effective domain name verification configuration
      If the configuration of domain name ownership verification does not take effect, rectify the fault based on the following possible causes until the verification takes effect:
      • It requires a long period of time for the configuration to take effect.

        Check whether the effective time (TTL) is too long. It is recommended that you set the TTL to 5 minutes. This value varies depending on the DNS service provider. In our DNS, the default value is 5 minutes, so the configuration takes effect within 5 minutes by default.

      • The record configuration is incorrect.
        Check whether the Name or Type is correct.

        Check whether full domain names are supported. If not, delete the suffix of the root domain name.

Verification by File

Verification by file means verifying the domain name ownership by creating a specified file on the server.

After CA approves your application, you need to verify your domain ownership as described in the order, or your certificate will remain in the Pending domain name verification state and will not be approved.

If you purchase a multi-domain certificate and select verification by file, you need to verify each domain separately by file.

Verification by file is usually performed by your server administrator. This section describes how to verify domain ownership by file.

  1. Log in to the management console.
  2. Go to the domain name verification page.

    Figure 7 Navigation path for accessing the domain name verification page

  3. View the Record Value on the Verify Domain Name page, or log in to the email you provided during certificate application, and find the Record Value.

    Figure 8 Verification by file

  4. Log in to your server.
  5. Create the specified file in the root directory of the website.

    The root directory of the website refers to the folder where the website programs are stored on the server. The root directory has the following names: wwwroot, htdocs, public_html, webroot, and more. Perform operations as required.

    Example:

    The following uses website root directory /www/htdocs as an example:

    1. Create the .well-known/pki-validation subdirectory in the root directory of the website.

      In this case, create the subdirectory in the /www/htdocs directory.

    2. Create the whois.txt file in the .well-known/pki-validation subdirectory.
    3. Place the record value obtained in 3 in the whois.txt file.

  6. Check whether the configuration has taken effect.

    1. Open a browser and access the URL address: https://your domain/.well-known/pki-validation/whois.txt or http://your domain/.well-known/pki-validation/whois.txt.

      Replace your domain in the URL address with the domain name bound during certificate application.

      • If your domain name is a common domain name, perform the following operations:

        For example, if your domain name is example.domain.com, the access URL address is https://example.domain.com/.well-known/pki-validation/whois.txt or http://example.domain.com/.well-known/pki-validation/whois.txt.

        For a domain name starting with www, for example, www.domain.com, perform the following operations:

        1. Perform steps 1 to 6 to verify domain name www.domain.com by file and check whether the verification configuration has taken effect.
        2. Access the URL address https://domain.com/.well-known/pki-validation/whois.txt, and check the value displayed.

          The value displayed must be the same as the value obtained in 3.

      • For a wildcard domain name, perform the following operations:

        For example, if your domain name is *.domain.com, the access URL address is https://domain.com/.well-known/pki-validation/whois.txt or http://domain.com/.well-known/pki-validation/whois.txt.

    2. Check whether the verification has taken effect.

      Check whether the verification URL address can be properly accessed in the browser and if the record value displayed on the page is the same as that on the order progress page or in the email.

      • If the record value matches the one obtained in 3, the configuration of domain name verification has taken effect.
      • If they are different, the configuration of domain name verification does not take effect.
        If the configuration does not take effect, check and handle the issue from the following aspects:
        • Check whether the verification URL address exists in HTTPS accessible addresses. If yes, use HTTPS to re-access the URL address in the browser. If the browser displays a message indicating that the certificate is untrusted or the displayed content is incorrect, disable the HTTPS service for the domain name temporarily.
        • Ensure that the verification URL address can be accessed at any place. Detection servers of some CAs are located outside China. Check whether your site has images outside China or whether the smart DNS service is used.
        • Check whether the verification URL address contains 301 or 302 redirection. If such redirection exists, cancel the related settings to disable the redirection.

          You can run the wget -S URL address command to check whether the verification URL address is redirected.

  7. After the verification is complete, additional time is required for the CA to verify your domain name. During this period, the certificate is in the Pending domain name verification state.

    If you have verified the domain name, the CA will take 2 to 3 working days to verify your information. The certificate enters the Pending organization verification state only after the CA has confirmed your domain ownership.

Verification by Email

After you apply for a certificate, the CA will send a confirmation email to your domain name administrator's email address. Perform the confirmation in the email as prompted. The certificate issuing will enter the next stage after the domain name is verified.

If you purchase a multi-domain certificate and select verification by email, and different email addresses are used, you need to perform verification by email for each domain name.

This section describes how to verify domain ownership by email.

  1. Log in to the mailbox of the domain name administrator.
  2. Open the domain name confirmation email from the CA.
  3. Click the confirmation link in the email to complete the domain name verification.

    After the verification is complete, additional time is required for the CA to verify your domain name. During this period, the certificate is in the Pending domain name verification state.

    If you have verified the domain name, the CA will take 2 to 3 working days to verify your information. The certificate enters the Pending organization verification state only after the CA has confirmed your domain ownership.

Follow-up Procedure

If you have applied for an OV, OV Pro, EV, or EV Pro certificate, once domain name verification is complete, the CA will send you an organization verification email. Then, the CA will contact you based on the verification mode you selected to check whether the enterprise or organization has initiated the certificate application. For details, see Step 4: Verifying the Organization.