Skip to content
Visit SSL on GitHub
Set theme to dark (⇧+D)

Domain Control Validation (DCV)

Before a Certificate Authority will issue a certificate for a domain, the requestor must prove they have control over that domain. This process is known as domain control validation (DCV).

DCV exceptions

Full setups

If your domain is on a full setup (Cloudflare runs your authoritative nameservers), we handle DCV automatically on your behalf using a TXT record.

Custom certificates

If your domain is using a custom certificate, you need to handle DCV on your own when you obtain certificates from a CA.

Performing DCV

If your application is on a partial/CNAME setup (someone else runs your authoritative nameservers), you may need to perform DCV.

Apex validation

When you perform DCV through Cloudflare, we recommend that you validate against your domain apex ( instead of individual subdomains ( This recommendation applies even if you do not intend to proxy traffic from your apex domain.

When you validate against the apex, Cloudflare can complete DCV for all subdomains. Otherwise, you will have to validate each subdomain manually.

DCV methods


If you are using proxied (orange-clouded) DNS records and can tolerate a few minutes of downtime, Cloudflare can handle DCV by using an HTTP token. This token is available for the Certificate Authority as soon as you create a CNAME record to Cloudflare in your authoritative DNS and you create proxied DNS records for your hostname within Cloudflare.

What happens after you create your records

Cloudflare contacts one of our Certificate Authority providers and asks them to issue certificates for the specified hostname. The CA will then inform Cloudflare that we need to “demonstrate control” of this hostname by returning a $DCV_TOKEN at a specified $DCV_FILENAME; both the token and the filename are randomly generated by the CA and not known to Cloudflare ahead of time.

For example, if you create a new custom hostname for, the CA might ask us to return the value ca3-38734555d85e4421beb4a3e6d1645fe6 for a request to". As soon as we receive that value from the CA we make it accessible at our edge and ask the CA to confirm it’s there so that they can complete validation and the certificate order.

Though this process happens relatively quickly, your application may experience a brief period of downtime. If you want to use wildcard certificates or pre-validate your certificate — either to avoid downtime or prevent any issuance errors — use TXT or Email validation.


TXT record validation requires the creation of a TXT record in the hostname's authoritative DNS.

  • API: txt_name and txt_value
  • Dashboard: When viewing an individual certificate at SSL/TLS > Edge Certificates, refer to the values for Certificate validation TXT name and Certificate validation TXT value.

At your authoritative DNS provider, create a TXT record named the name and containing the value. Once this TXT is in place, validation and certificate issuance will automatically complete.


Email based validation will send an approval email to the contacts listed for a given domain in WHOIS, along with the following addresses: admin@, administrator@, hostmaster@, postmaster@, and webmaster@.

Once you create an advanced certificate or edit the validation_method via the API and use this validation method, you will see the following values after a few seconds:

  • API: emails
  • Dashboard: When viewing an individual certificate at SSL/TLS > Edge Certificates, refer to the value for Certificate validation email recipients.

The addresses listed in this field will receive an email from They should either click Review Certificate Request or the hyperlink.

Certificate Validation Email

As soon as the domain owner has clicked the link in this email and clicked Approve on the validation page, the certificate will move through the various statuses until it becomes Active.

Verify DCV status

To verify the DCV status of a domain, either view the certificate in the dashboard or use the Verification Status endpoint.

A status of active means that the certificate has been deployed to Cloudflare’s edge network and will be served as soon as HTTP traffic is proxied to Cloudflare.

Update DCV method for an active certificate

You cannot update the DCV method for an active certificate. To update the DCV method for a subdomain, wait until the DCV expires and then change the DCV method.