Domain Validated (DV) Certificate Process

2 min read SSL/TLS & Certificates

Domain Validated (DV) Certificate Process

The DV validation process epitomizes simplicity and automation in certificate issuance. The entire process focuses on a single question: does the applicant control the domain for which they're requesting a certificate? This narrow focus enables complete automation, eliminating human intervention and allowing certificates to be issued within minutes. The streamlined nature of DV validation has made SSL certificates accessible to millions of websites that might otherwise remain unencrypted.

Email-based validation remains one of the most common DV verification methods. The Certificate Authority sends a verification email to predetermined addresses associated with the domain, such as admin@, administrator@, hostmaster@, postmaster@, or [email protected]. The email contains a unique verification link or code that the applicant must click or enter to prove they can receive email at these administrative addresses. This method works well for established domains with functioning email systems but can be problematic for new domains or those without email infrastructure.

DNS validation offers a more technical but highly flexible approach. The CA provides a unique TXT record that must be added to the domain's DNS configuration. Once added, the CA queries the DNS system to verify the record's presence, confirming domain control. This method particularly suits technical users comfortable with DNS management and works well for domains without email systems. It also enables wildcard certificate validation and integrates smoothly with automated systems using APIs for DNS updates.

File-based validation, also known as HTTP validation, requires uploading a specific file to a predetermined location on the web server. The CA attempts to retrieve this file via HTTP, confirming that the applicant controls the web server associated with the domain. This method works well for existing websites but requires an already-functioning web server, making it unsuitable for pre-launch certificate acquisition.