Short link : opensrs.help/domain-validation
This guide will walk you through the authorization process for RapidSSL, GeoTrust and Sectigo SSL certificates. Registrants can choose between three verification methods to validate an SSL certificate. The methods are outlined in this article in details.
- What are the three different methods?
- How and when do I choose my preferred method?
- What if there is a delay in processing my order?
- How do I parse the CSR?
- What are the relevant XML commands and parameters?
What are the three different methods?
RapidSSL, GeoTrust and Sectigo SSL certificates can be validated using one of the following three methods.
Email validation
Selecting this method prompts the vendor to send an email to the registrant, requesting that they confirm the details of the certificate. Once this information has been verified, the vendor will send the registrant the certificate for installation onto the registrant's web server.
After GDPR implementation, for the most efficient validation process and to manage to keep information regarding a registrant anonymous, email Validation for DV (domain validated) SSL certificates can now only be approved via the default mail addresses known as:
- admin@yourdomain.com
- administrator@yourdomain.com
- hostmaster@yourdomain.com
- postmaster@yourdomain.com
- webmaster@yourdomain.com
DNS validation
Upon submitting the order in the OpenSRS Control Panel, a DNS string is immediately provided and should be added to the DNS for the domain.
Depending on the order type, this can be either a CNAME or a TXT Record
Digicert (Symantec, Thawte, GeoTrust, and RapidSSL) orders require a TXT record for DNS validation. This validation method requires you to create a unique TXT record on your domain's public DNS. This is done by adding the random value verification token from the SSL order to the domain's DNS zone as a TXT record. When validation is requested, the SSL provider searches for TXT records associated with the domain using any public DIG tool, and then verify that the record's value includes the verification token (random value).
The TXT record must be present on both the apex domain and common name for Digicert DNS validation.
Sectigo orders need to be validated by adding a CNAME record. They require the creation of a unique CNAME record, pointed back to Sectigo/Comodo CA (Certificate Authority). A CNAME record is created under the authorized domain name. The CNAME record is provided on the SSL order.
Note: The DNS Record provided is valid for 24 hours. If your certificate has not been issued within this timeframe, a new record will be required.
If you don't want to use the get_order_info API command to view and update the SSL service order attributes, you can:
- Go to the Trust tab in the Reseller Control Panel and find the SSL order by searching with the common name or the supplier order ID.
- Copy the new CNAME/TXT value and enter in the DNS zone information.
- Click on Request validation from vendor.
Please ensure to wait up to 24 hours for the validation process before requesting another one. The timestamp on the CNAME/TXT will change every time the page is refreshed, but the previous codes are valid for 24 hours.
Important: Do not request validation from the vendor until a foreign resolver can resolve the record first. If you request validation from the vendor before the record is publicly resolvable, this will invalidate the record.
Geotrust polling times:
| Polling Interval 1 | Every one minute for the first 15 minutes |
| Polling Interval 2 | Every five minutes for an hour |
| Polling Interval 3 | Every fifteen minutes for four hours |
| Polling Interval 4 | Every hour for a day |
| Polling Interval 5 | Every four hours for a week |
| Polling Interval 6 | Every twenty hours for a year |
Sectigo DNS polling times:
If the DNS records don't exist during the first check, then further lookup happens in the following intervals.
| Polling Interval 1 |
10 minutes after |
| Polling Interval 2 | 20 minutes after |
| Polling Interval 3 | 40 minutes after |
| Polling Interval 4 | 80 minutes after |
| Polling Interval 5 | 160 minutes after |
| Polling Interval 6 | 320 minutes after |
File validation
Upon submitting the order in the OpenSRS Control Panel, a TXT file is immediately provided and should be uploaded to the following directory.
<commonname>/.well-known/pki-validation/fileauth.txt
The vendor will check the website for this file and, after confirming it has been uploaded, validate the certificate.
Note: Sectigo authorization file name is an MD5 value instead of fileauth.txt. For Windows IIS servers, you may place a "." at the start and end of the folder for a workaround.
How and when do I choose my preferred method?
The preferred method is selected at the time of purchase from the product order page in the OpenSRS Control Panel.
What if there is a delay in processing my order?
The vendor will typically check for newly placed orders every hour. If, after 24 hours, you haven't received a confirmation of validation, click the link provided under Domain Validation Authentication Check to send a manual request for validation. A confirmation of the validated certificate should appear under domain notes no later than one hour after this request is made.
If you continue to have issues, please contact us.
How do I parse the CSR?
Parsing the CSR allows you to see the information the SSL order contains and correct any errors that may delay the verification process. This can be done from the Trust section of the Reseller Control Panel.
What are the relevant XML commands and parameters?
Below, are some quick links to our API XML guide for commands relevant to domain-vetted authorization for RapidSSL, GeoTrust & Sectigo SSL Certificate registration.
get_order_info
sw_register
update_dv_auth_check
update_order
process_pending
0 Comments