All Comodo certificates must pass through DCV (Domain Control Validation) verification before being issued. DCV is the mechanism used to confirm that you are the owner of a domain.
There are three options for passing the DCV check:
- Via eMail (Traditional)
An email is sent to your domain’s administrative contact. The letter contains a unique validation code and a link. It is necessary to go to the link and enter a code to confirm ownership of the domain. Valid email addresses are considered to be the following:
Any email address that is visible when you check the domain through the whois service, as well as addresses in your domain that begin with the following names:
admin@
administrator@
postmaster@
hostmaster@
webmaster@ - Method based on DNS CNAME
The CSR you sent to Comodo is hashed. This hash is sent to you and you have to enter it as a CNAME entry in the DNS of your domain. The hash must be specified in the following format:
<The MD5 hash of the CSR is>.yourdomain.com. CNAME <SHA1 hash of CSR>.comodoca.com
Note: Note that each domain must end with a period at the end of the record, as in the example.
Note 2: Note yourdomain.com in the example above (and below in the third method) means the domain that will be contained in the certificate. If you order a SAN or UCC certificate, a separate CNAME record must be created for each domain/subdomain.
For example:
<The MD5 hash of the CSR is>.subdomain1.yourdomain.com. CNAME <SHA1 hash of CSR>.comodoca.com
<The MD5 hash of the CSR is>.subdomain2.yourdomain.com. CNAME <SHA1 hash of CSR>.comodoca.com - Method based on HTTP DCV
The CSR you sent to Comodo is hashed. You need to specify this hash in a plain text file and place this file in the root of your site, which can be accessed via HTTP, not HTTPS!
The file and its contents should look like this::
http://yourdomain.com/<MD5 hash CSR uppercase >.txt
Contents (in plain text file): <SHA1 hash CSR>
comodoca.com
Note: If you have a redirect from HTTP to HTTPS the validation will pass, but all redirects must be no longer than 5 seconds. The DCV validation will fail if any of the redirects are longer than 5 seconds. The DCV check will also fail if the site is HTTPS with a self-signed certificate.
Additional information:
In case you do not have a CSR hash, you can use Online CSR Decoder.
We recommend:
- Uncheck Show Empty Fields
- Check Show CSR Hashes
before specifying your CSR and clicking the Decode button.
