Domain-vetted authorization for RapidSSL, GeoTrust & Sectigo SSL certificates

Short link : opensrs.help/domain-validation

This guide will walk you through the authorization process for RapidSSL, GeoTrust and Sectigo SSL certificates. Registrants can choose between three verification methods to validate an SSL certificate. The methods are outlined in this article in details. 

 

What are the three different methods?

RapidSSL, GeoTrust and Sectigo SSL certificates can be validated using one of the following three methods.

Email validation

Selecting this method prompts the vendor to send an email to the registrant, requesting that they confirm the details of the certificate. Once this information has been verified, the vendor will send the registrant the certificate for installation onto the registrant's web server.  

After GDPR implementation, for the most efficient validation process and to manage to keep information regarding a registrant anonymous, email Validation for DV (domain validated) SSL certificates can now only be approved via the default mail addresses known as:

  • admin@yourdomain.com
  • administrator@yourdomain.com
  • hostmaster@yourdomain.com
  • postmaster@yourdomain.com
  • webmaster@yourdomain.com

Back to top

DNS validation

Upon submitting the order in the OpenSRS Control Panel, a DNS string is immediately provided and should be added to the DNS for the domain.

Depending on the order type, this can be either a CNAME or a TXT Record

Digicert (Symantec, Thawte, GeoTrust, and RapidSSL) orders require a TXT record for DNS validation. This validation method requires you to create a unique TXT record on your domain's public DNS. This is done by adding the random value verification token from the SSL order to the domain's DNS zone as a TXT record. When validation is requested, the SSL provider searches for TXT records associated with the domain using any public DIG tool, and then verify that the record's value includes the verification token (random value).

The TXT record must be present on both the apex domain and common name for Digicert DNS validation. 

Sectigo orders need to be validated by adding a CNAME record. They require the creation of a unique CNAME record, pointed back to Sectigo/Comodo CA (Certificate Authority). A CNAME record is created under the authorized domain name. The CNAME record is provided on the SSL order.

Note: The DNS Record provided is valid for 24 hours. If your certificate has not been issued within this timeframe, a new record will be required.

If you don't want to use the get_order_info API command to view and update the SSL service order attributes, you can:

  1.  Go to the Trust tab in the Reseller Control Panel and find the SSL order by searching with the common name or the supplier order ID.
  2. Copy the new CNAME/TXT value and enter in the DNS zone information. 
  3. Click on Request validation from vendor.

Please ensure to wait up to 24 hours for the validation process before requesting another one. The timestamp on the CNAME/TXT will change every time the page is refreshed, but the previous codes are valid for 24 hours.   

Important: Do not request validation from the vendor until a foreign resolver can resolve the record first. If you request validation from the vendor before the record is publicly resolvable, this will invalidate the record.

Back to top

Geotrust polling times:

Polling Interval 1 Every one minute for the first 15 minutes
Polling Interval 2 Every five minutes for an hour
Polling Interval 3 Every fifteen minutes for four hours
Polling Interval 4 Every hour for a day
Polling Interval 5 Every four hours for a week
Polling Interval 6 Every twenty hours for a year

 

Sectigo DNS polling times:

If the DNS records don't exist during the first check, then further lookup happens in the following intervals.

Polling Interval 1

10 minutes after

Polling Interval 2 20 minutes after
Polling Interval 3 40 minutes after
Polling Interval 4 80 minutes after
Polling Interval 5 160 minutes after
Polling Interval 6 320 minutes after

Back to top

File validation

Upon submitting the order in the OpenSRS Control Panel, a TXT file is immediately provided and should be uploaded to the following directory.

<commonname>/.well-known/pki-validation/fileauth.txt

The vendor will check the website for this file and, after confirming it has been uploaded, validate the certificate. 

Note: Sectigo authorization file name is an MD5 value instead of fileauth.txt. For Windows IIS servers, you may place a "." at the start and end of the folder for a workaround. 

Back to top 

How and when do I choose my preferred method?

The preferred method is selected at the time of purchase from the product order page in the OpenSRS Control Panel. 

What if there is a delay in processing my order?

The vendor will typically check for newly placed orders every hour. If, after 24 hours, you haven't received a confirmation of validation, click the link provided under Domain Validation Authentication Check to send a manual request for validation. A confirmation of the validated certificate should appear under domain notes no later than one hour after this request is made.

If you continue to have issues, please contact us.

How do I parse the CSR?

Parsing the CSR allows you to see the information the SSL order contains and correct any errors that may delay the verification process. This can be done from the Trust section of the Reseller Control Panel

 Back to top

What are the relevant XML commands and parameters?

Below, are some quick links to our API XML guide for commands relevant to domain-vetted authorization for RapidSSL, GeoTrust & Sectigo SSL Certificate registration.

get_order_info

sw_register

update_dv_auth_check

update_order

process_pending

Back to top

Have more questions? Submit a request

0 Comments

Article is closed for comments.