Delegated DCV allows SaaS providers to delegate the DCV process to Cloudflare.
DCV Delegation requires your customers to place a one-time record at their authoritative DNS that allows Cloudflare to auto-renew all future certificate orders, so that there is no manual intervention from you or your customers at the time of the renewal.
When to use
Specific (non-wildcard) custom hostnames can use HTTP based DCV for certificate renewals, as long as that hostname is pointing to the SaaS provider and the traffic is proxying through the Cloudflare network.
Wildcard custom hostnames require TXT based validation. As the SaaS provider, you have two options for wildcard custom hostname certificate renewals:
- DCV Delegation (recommended)
To set up Delegated DCV:
- Order a custom certificate for your zone. You can choose any Certificate validation method.
- On SSL/TLS > Custom Hostnames, go to DCV Delegation for Custom Hostnames.
- Copy the hostname value.
- For each hostname, the domain owner needs to place a
CNAMErecord at their authoritative DNS. In this example, the SaaS zone is
example.com._acme-challenge.example.com CNAME example.com.<COPIED_HOSTNAME>.
Once this is complete, Cloudflare will place two TXT DCV records - one for
example.com and one for
*.example.com - at the
example.com.<COPIED_HOSTNAME> hostname. The CNAME record will need to stay in place in order to allow Cloudflare to continue placing the records for the renewals.
If desired, you could also manually fetch the DCV tokens and share them with your customers.
If you move your SaaS zone to another account, you will need to update the
CNAME record with a new hostname value.