Delegated DCV
Delegated DCV allows SaaS providers to delegate the DCV process to Cloudflare.
DCV Delegation requires your customers to place a one-time record at their authoritative DNS that allows Cloudflare to auto-renew all future certificate orders, so that there is no manual intervention from you or your customers at the time of the renewal.
When to use
HTTP DCV
Specific (non-wildcard) custom hostnames can use HTTP based DCV for certificate renewals, as long as:
- The hostname is pointing to the SaaS provider.
- The hostname’s traffic is proxying through the Cloudflare network.
If your custom hostnames do not meet these requirements, use another validation method.
TXT DCV
Wildcard custom hostnames require TXT-based validation. As the SaaS provider, you have two options for wildcard custom hostname certificate renewals:
- DCV Delegation (generally recommended)
- Manual
Setup
To set up Delegated DCV:
- Add a custom hostname for your zone. You can choose any Certificate validation method.
- On SSL/TLS > Custom Hostnames, go to DCV Delegation for Custom Hostnames.
- Copy the hostname value.
- For each hostname, the domain owner needs to place a
CNAMErecord at their authoritative DNS. In this example, the SaaS zone isexample.com._acme-challenge.example.com CNAME example.com.<COPIED_HOSTNAME>.
Once this is complete, Cloudflare will place two TXT DCV records - one for example.com and one for *.example.com - at the example.com.<COPIED_HOSTNAME> hostname. The CNAME record will need to stay in place in order to allow Cloudflare to continue placing the records for the renewals.
If desired, you could also manually fetch the DCV tokens and share them with your customers.
Moved domains
If you move your SaaS zone to another account, you will need to update the CNAME record with a new hostname value.