Domain Control Validation (DCV)
Before a Certificate Authority will issue a certificate for a domain, the requestor must prove they have control over that domain. This process is known as domain control validation (DCV).
If your application is on a partial/CNAME setup (someone else runs your authoritative nameservers), you may need to perform DCV.
When you perform DCV through Cloudflare, we recommend that you validate against your domain apex (
example.com) instead of individual subdomains (
blog.example.com). This recommendation applies even if you do not intend to proxy traffic from your apex domain.
When you validate against the apex, Cloudflare can complete DCV for all subdomains. Otherwise, you will have to validate each subdomain manually.
If you are using proxied (orange-clouded) DNS records and can tolerate a few minutes of downtime, Cloudflare can handle DCV by using an HTTP token. This token is available for the Certificate Authority as soon as you create a CNAME record to Cloudflare in your authoritative DNS and you create proxied DNS records for your hostname within Cloudflare.
What happens after you create your records
Cloudflare contacts one of our Certificate Authority providers and asks them to issue certificates for the specified hostname. The CA will then inform Cloudflare that we need to “demonstrate control” of this hostname by returning a
$DCV_TOKEN at a specified
$DCV_FILENAME; both the token and the filename are randomly generated by the CA and not known to Cloudflare ahead of time.
For example, if you create a new custom hostname for
site.example.com, the CA might ask us to return the value
ca3-38734555d85e4421beb4a3e6d1645fe6 for a request to
http://site.example.com/.well-known/pki-validation/ca3-39f423f095be4983922ca0365308612d.txt". As soon as we receive that value from the CA we make it accessible at our edge and ask the CA to confirm it’s there so that they can complete validation and the certificate order.
Though this process happens relatively quickly, your application may experience a brief period of downtime. If you want to use wildcard certificates or pre-validate your certificate — either to avoid downtime or prevent any issuance errors — use or validation.
TXT record validation requires the creation of a TXT record in the hostname's authoritative DNS.
- Dashboard: When viewing an individual certificate at SSL/TLS > Edge Certificates, refer to the values for Certificate validation TXT name and Certificate validation TXT value.
At your authoritative DNS provider, create a TXT record named the name and containing the value. Once this TXT is in place, validation and certificate issuance will automatically complete.
Email based validation will send an approval email to the contacts listed for a given domain in WHOIS, along with the following addresses:
- Dashboard: When viewing an individual certificate at SSL/TLS > Edge Certificates, refer to the value for Certificate validation email recipients.
Verify DCV status
A status of
active means that the certificate has been deployed to Cloudflare’s edge network and will be served as soon as HTTP traffic is proxied to Cloudflare.
Update DCV method for an active certificate
You cannot update the DCV method for an active certificate. To update the DCV method for a subdomain, wait until the DCV expires and then change the DCV method.