Short link : opensrs.help/domain-validation
This guide will walk you through the authorization process for RapidSSL, GeoTrust and Sectigo SSL certificates, and outline the three verification methods from which a registrant can choose.
We'll address the following questions:
What are the three different methods?
RapidSSL, GeoTrust and Sectigo SSL certificates can be validated using one of the following three methods:
Selecting this method prompts the vendor to send an email to the registrant, requesting that they confirm the details of the certificate. Once this information has been confirmed, the vendor will send the registrant the certificate for installation onto the registrant's web server.
Upon submitting the order in the OpenSRS Control Panel, a DNS string is immediately provided and should be added to the DNS for the domain.
Depending on the order type this can be either a CNAME or a TXT Record
Digicert (Symantec, Thawte, GeoTrust, and RapidSSL) orders require a DNS TXT record for DNS validation. This validation method requires you to create a unique DNS TXT record on your domain's public DNS and add the random value verification token—from the SSL order—to the TXT record. When validation is requested the SSL provider does a search for TXT records associated with the domain, and then verify the record's value includes the verification token (random value).
Please ensure the TXT record must be present on both the apex domain and common name for Digicert DNS validation.
Sectigo orders need to be validated by adding a CNAME record. They require the creation of a unique CNAME record, pointed back to Sectigo/Comodo CA. A CNAME DNS record is created under the Authorization Domain Name. The CNAME record is provided on the SSL order.
Please note: The DNS Record provided is valid for 24 hours. If your certificate has not been issued within this timeframe a new record will be required.
Geotrust polling times:
- Polling Interval 1 Every one minute for the first 15 minutes
- Polling Interval 2 Every five minutes for an hour
- Polling Interval 3 Every fifteen minutes for four hours
- Polling Interval 4 Every hour for a day
- Polling Interval 5 Every four hours for a week
- Polling Interval 6 Every twenty hours for a year
Sectigo DNS polling times:
If the DNS records don't exist during the first check then further lookup's happen in the following intervals.
- 10 minutes after
- 20 minutes after
- 40 minutes after
- 80 minutes after
- 160 minutes after
- 320 minutes after
1. In the OpenSRS Control Panel, head to the product order, copy the new CNAME/TXT value and enter it in the zone information. After that, click on "Request validation from vendor.” Please wait up to 24 hours for the validation process before requesting another one. The timestamp on the CNAME will change every time the page is refreshed but the previous codes are valid for 24 hours.
2. Use the get_order_info API command to view this information.
Important: Do not request validation from vendor until a foreign resolver can resolve the record first. If you request validation from vendor before the record is publicly resolvable this will invalidate the record.
Upon summiting the order in the OpenSRS Control Panel, a TXT file is immediately provided, and should be uploaded to the following directory:
The vendor will check the website for this file and, after confirming it has been uploaded, validate the certificate.
Note: Sectigo authorization file name is an MD5 value instead of fileauth.txt. For windows IIS servers, you may place a "." at the start and end of the folder for a workaround.
How and when do I choose my preferred method?
The preferred method is selected at the time of purchase from the product order page in the OpenSRS Control Panel.
What if there is a delay in processing my order?
The vendor will typically check for newly placed orders every hour. If, after 24 hours, a confirmation of validation has not been received:
Click the link provided under Domain Validation Authentication Check to send a manual request for validation. A confirmation of the validated certificate should appear under domain notes no later than one hour after this request is made.
If you continue to have issues, please contact us at email@example.com
How do I parse the CSR?
Parsing the CSR allows you to see the information it contains and correct any errors that may delay the verification process. This can be done from the Trust section of the reseller control panel.
For more information, check out the full guide.
Below, are some quick links to our API XML guide for commands relevant to domain-vetted authorization for RapidSSL, GeoTrust & Sectigo SSL Certificate registration.