Updated on 2024-09-18 GMT+08:00

Method 3: File Verification

According to the CA requirements, if you applied for an SSL certificate, you must prove that the domain name to be associated with the certificate belongs to you.

For file verification, you obtain the certificate verification file from the SCM console and create the specified file in the website root directory on the server. If the CA verifies that the file path can be accessed, the verification is successful.

If you select file verification when applying for a certificate, perform the operations described in this section.

Prerequisites

Port 80 or 443 is enabled on the server.

CAs send authentication requests only to port 80 or 443.

Constraints

  • Only DV single-domain free certificates support file verification.

Step 1: Obtaining Verification Information

  1. Log in to the management console.
  2. Click in the upper left corner of the page and choose Security & Compliance > Cloud Certificate Management Service. The service console is displayed.
  3. In the navigation pane on the left, choose SSL Certificate Manager. In the row containing the desired certificate, click Verify Domain Name in the Operation column. The Verify Domain Name page is displayed.
  4. On the Verify Domain Name page, view the Record Value.

    If the page is not displayed, log in to your email (the one specified during certificate application) to view the recorded value.

    Figure 1 File verification

Step 2: Creating the Required File

  1. Log in to your server and ensure that the domain name points to the server and the website is enabled.
  2. Create a file in the root directory of the website. You need to specify the file directory, file name, and content.

    The root directory of the website refers to the folder where the website programs are stored on the server. The root directory has the following names: wwwroot, htdocs, public_html, webroot, and more. Perform operations as required.

    The following uses Windows servers as an example. Assume that the root directory of the website is /www/htdocs.

    1. On the Windows menu, click Start and enter cmd to start the command dialog box.
    2. Run the following command to go to the disk where the root directory of the website is located. In this example, drive D is such a disk.

      d:

    3. Run the commands below to create the .well-known/pki-validation subdirectory in the root directory of the website.

      In this case, create the subdirectory in the /www/htdocs directory.

      cd /www/htdocs
      mkdir .well-known
      cd .well-known
      mkdir pki-validation
      cd pki-validation
    4. Run the command below to create the fileauth.txt file in the .well-known/pki-validation subdirectory.

      The following uses the fileauth.txt returned by the GeoTrust as an example. Replace fileauth.txt with the actual file name.

      echo off>fileauth.txt

    5. Run the following commands to open the fileauth.txt file:

      start fileauth.txt

    6. Put the record you obtained in 4 into the fileauth.txt file and choose File > Save in the upper left corner.

Step 3: Checking Whether the Verification Configuration Takes Effect

  1. Open a browser and access the URL address: https://yourdomain/.well-known/pki-validation/fileauth.txt or http://yourdomain/.well-known/pki-validation/fileauth.txt.

    Replace your domain in the URL address with the domain name bound during certificate application.

    • If your domain name is a common domain name, perform the following operations:

      For example, if your domain name is example.com, the access URL address is https://example.com/.well-known/pki-validation/fileauth.txt or http://example.com/.well-known/pki-validation/fileauth.txt.

    • For a wildcard domain name, perform the following operations:

      For example, if your domain name is *.domain.com, the access URL address is https://domain.com/.well-known/pki-validation/fileauth.txt or http://domain.com/.well-known/pki-validation/fileauth.txt.

  2. Check whether the verification URL address can be properly accessed in the browser and whether the record value displayed on the page is the same as that on the order progress page.

    • If the record value displayed on the page is the same as that displayed on the domain name verification page of the SCM console, the configuration of domain name verification has taken effect.
    • If they are different, the configuration of domain name verification does not take effect.

  3. If the configuration does not take effect, check and handle the issue from the following aspects:

    • Check whether the verification URL address exists in HTTPS accessible addresses. If yes, use HTTPS to re-access the URL address in the browser. If the browser displays a message indicating that the certificate is untrusted or the displayed content is incorrect, disable the HTTPS service for the domain name temporarily.
    • Ensure that the verification URL address can be accessed at any place. Detection servers of some CAs are located outside China. Check whether your site has images outside China or whether the smart DNS service is used.
    • Check whether the verification URL address contains 301 or 302 redirection. If such redirection exists, cancel the related settings to disable the redirection.

      You can run the wget -S URL address command to check whether the verification URL address is redirected.