Delegated DCV allows SaaS providers to delegate the DCV process to Cloudflare.
DCV Delegation requires your customers to place a one-time record at their authoritative DNS that allows Cloudflare to auto-renew all future certificate orders, so that there is no manual intervention from you or your customers at the time of the renewal.
When to use
- The hostname is pointing to the SaaS provider.
- The hostname’s traffic is proxying through the Cloudflare network.
If your custom hostnames do not meet these requirements, use another validation method.
Wildcard custom hostnames require TXT-based validation. As the SaaS provider, you have two options for wildcard custom hostname certificate renewals:
To set up Delegated DCV:
- Order a for your zone. You can choose any Certificate validation method.
- On SSL/TLS > Custom Hostnames, go to DCV Delegation for Custom Hostnames.
- Copy the hostname value.
- For each hostname, the domain owner needs to place a
CNAMErecord at their authoritative DNS. In this example, the SaaS zone is
example.com._acme-challenge.example.com CNAME example.com.<COPIED_HOSTNAME>.
Once this is complete, Cloudflare will place two TXT DCV records - one for
example.com and one for
*.example.com - at the
example.com.<COPIED_HOSTNAME> hostname. The CNAME record will need to stay in place in order to allow Cloudflare to continue placing the records for the renewals.
If desired, you could also manually fetch the DCV tokens and share them with your customers.