Cloudflare contacts one of our Certificate Authority providers and asks them to issue certificates for the specified hostname. The CA will then inform Cloudflare that we need to “demonstrate control” of this hostname by returning a
$DCV_TOKEN at a specified
$DCV_FILENAME; both the token and the filename are randomly generated by the CA and not known to Cloudflare ahead of time.
For example, if you create a new custom hostname for
site.example.com, the CA might ask us to return the value
ca3-38734555d85e4421beb4a3e6d1645fe6 for a request to
http://site.example.com/.well-known/pki-validation/ca3-39f423f095be4983922ca0365308612d.txt". As soon as we receive that value from the CA we make it accessible at our edge and ask the CA to confirm it’s there so that they can complete validation and the certificate order.