Validate
Before a certificate authority (CA) will issue a certificate for a domain, the requester must prove they have control over that domain. This process is known as domain control validation (DCV).
When you create a custom hostname, choose one certificate validation method. The API accepts one ssl.method value: http, txt, or email.
Specific (non-wildcard) custom hostnames can use HTTP based DCV for certificate renewals, as long as:
- The hostname is pointing to the SaaS provider.
- The hostname's traffic is proxying through the Cloudflare network.
If your custom hostnames do not meet these requirements, use another validation method.
Wildcard custom hostnames require TXT-based validation. As the SaaS provider, you have two options for wildcard custom hostname certificate renewals:
- DCV Delegation (auto-issuance)
- Manual
If you want to minimize downtime, explore one of the following methods to issue and deploy the certificate before onboarding your customers:
- Delegated DCV: Place a one-time record at your authoritative DNS that allows Cloudflare to auto-renew all future certificate orders.
- TXT validation: Have your customers add a
TXTrecord to their authoritative DNS. - Manual HTTP validation: Add a
TXTrecord at your origin.
If you value simplicity and your customers can handle a few minutes of downtime, you can rely on Cloudflare automatic HTTP validation.
Automatic HTTP validation requires the hostname to point to your SaaS target before the CA can fetch the validation token. During that period, the hostname may route to Cloudflare before the certificate reaches ssl.status: active.
To avoid or solve potential issues, refer to our troubleshooting guide.