Before a certificate authority (CA) issues a certificate for your website, you must verify that you own or can manage the domain name bound to the certificate. After you submit a certificate application, you can prove your ownership of the domain name bound to the certificate by using the Domain Name System (DNS), file, or email method. This topic describes the rules and process of domain name ownership verification.
Prerequisites
A certificate application is submitted. For more information, see Apply for a certificate.
Verification methods
Starting November 15, 2021, you can no longer use the file verification method to verify the ownership of a wildcard domain name, such as *.aliyundoc.com or *.abc.aliyundoc.com. For more information, see [Notice] File Verification is no longer supported when you apply for wildcard certificates.
If an issue occurs during domain name ownership verification, contact your account manager for technical support.
The following table describes the methods of domain name ownership verification for different types of certificates and how to complete verification by using each method.
Certificate type | Scenario | Verification method | Time required for certificate issuance |
Domain validated (DV) certificate | Alibaba Cloud DNS is activated for the Alibaba Cloud account of the certificate applicant | Automatic DNS verification: Alibaba Cloud automatically identifies the domain name and adds a DNS record for the domain name in the Alibaba Cloud DNS console for domain name ownership verification. You need to only wait for the certificate to be issued. To ensure that automatic DNS verification can proceed as expected, conflicting TXT records are deleted when a DNS record is automatically added. For more information, see Alibaba Cloud DNS is activated for the Alibaba Cloud account of the certificate applicant. | If the specified information is correct, the CA completes review and issuance within one to two business days. |
Alibaba Cloud DNS is not activated for the Alibaba Cloud account of the certificate applicant |
| ||
Organization validated (OV) or extended validation (EV) certificate | All scenarios | Email verification: After you submit a certificate application for an OV or EV certificate, the CA staff calls the mobile phone number that you specify or sends a verification email to the email address that you specify in the certificate application within one business day. The time varies based on the location of the CA. Statutory holidays are excluded. We recommend that you complete the verification based on the verification method provided in the email and cooperate with the CA to complete the verification. | If the specified information is correct and you cooperate with the CA staff during the verification process, the CA completes review and issuance within three to seven business days. |
Alibaba Cloud DNS is activated for the Alibaba Cloud account of the certificate applicant
If Alibaba Cloud DNS is activated for the Alibaba Cloud account of the certificate applicant and a DV certificate is applied for, Alibaba Cloud automatically identifies the domain name and selects the Automatic DNS Verification method. You cannot change the verification method. After you submit the certificate application, Alibaba Cloud automatically adds a DNS record for the domain name in the Alibaba Cloud DNS console for domain name ownership verification.
After the DNS record takes effect, the No DNS record is found message may appear when you click Verify in the Certificate Management Service console. This is because latency exists when the Certificate Management Service console verifies the DNS record. The verification result displayed in the Certificate Management Service console is for reference only. The actual verification and issuance results provided by the CA shall prevail. In most cases, the CA completes review and issuance within one to two business days.
To ensure that automatic DNS verification can proceed as expected, conflicting TXT records are deleted when a DNS record is automatically added.
Alibaba Cloud DNS is not activated for the Alibaba Cloud account of the certificate applicant
If Alibaba Cloud DNS is not activated for the Alibaba Cloud account of the certificate applicant and a DV certificate is applied for, Alibaba Cloud supports the following verification methods:
Manual DNS verification
If you want to perform manual DNS verification, make sure the DV certificate is bound to a single domain name or a wildcard domain name and you have permissions to modify the DNS records of the domain name. If you use this method, you must manually add a TXT record for the domain name in the system of your DNS service provider. The administrative rights on a domain name are required to modify the DNS records of the domain name.
After you submit a certificate application, obtain the verification information from the Verify Information step in the Apply for Certificate panel.
Log on to the system of your DNS service provider and add a DNS record for your domain name.
The following example shows how to add a DNS record for a domain name in the Alibaba Cloud DNS console. If the domain name is registered with a third-party DNS service provider, go to the website of the DNS service provider and add a DNS record for the domain name.
Log on to the Alibaba Cloud DNS console by using the Alibaba Cloud account of the domain name owner.
On the Domain Name Resolution page, find the domain name that is bound to the certificate and click the domain name.
On the DNS Settings page, click Add DNS Record.
In the Add DNS Record panel, add the verification information that is obtained in Step 1, including Record Type, Host Record, and Record Value, to the configuration items shown in the following figure. Then, click OK.
The following figure in the left shows the Certificate Management Service console, and the following figure in the right shows the Alibaba Cloud DNS console.
After you add the DNS record, you can view it in the record list.
The newly added DNS record immediately takes effect.
If you delete or modify the DNS record, the operation takes effect after the time-to-live (TTL) of the DNS record that is stored in the local DNS cache. In most cases, the default TTL is 10 minutes.
If you change your DNS server information, the operation takes effect in 48 hours by default. For example, if you replace your DNS service with Alibaba Cloud DNS and configured DNS records, the change takes effect after 48 hours.
ImportantDo not remove the record that you add before a certificate is issued. Otherwise, the certificate fails to be issued. We recommend that you remove the added record after the certificate is issued. This avoids conflicts when a record is added later.
After you add the DNS record, return to the Verify Information step in the Certificate Management Service console and click Verify.
After the TXT record takes effect, the No DNS record is found. message may appear when you click Verify in the Certificate Management Service console. This is because latency exists when the Certificate Management Service console verifies the TXT record. The verification result displayed in the Certificate Management Service console is for reference only. The actual verification and issuance results provided by the CA shall prevail. In most cases, the CA completes review and issuance within one to two business days.
ImportantIf your DNS records include a CAA record, check whether the CA specified in the CAA record matches the brand of your certificate. If the CA does not match the brand, you must delete the CAA record. Otherwise, the certificate fails to be issued. For more information about domain name ownership verification, see FAQ about domain name ownership verification.
File verification
If you want to perform file verification, make sure that the DV certificate is bound to a single domain name, such as aliyundoc.com. After you submit a certificate application, you must manually download a dedicated verification file and upload the file to the verification directory .well-known/pki-validation/ of your web server. The CA attempts to access the HTTPS URL and HTTP URL of the verification file over ports 443 and 80 in sequence. If a URL can be accessed, the verification is successful. Then, the CA issues the certificate.
A CA can initiate verification requests only over ports 80 and 443. Make sure that ports 80 and 443 are enabled on your web server.
If the HTTPS service is enabled on your web server, make sure that the URL specified by the HTTPS Address parameter of your verification file is accessible and the certificate is trusted. Otherwise, we recommend that you temporarily disable the HTTPS service on the web server to prevent the verification from being affected. If no HTTPS service is configured on your web server, make sure that the URL specified by the HTTP Address parameter of your verification file is accessible.
Make sure that no 301 redirect or 302 redirect is enabled for the URL specified by the HTTPS Address or HTTP Address parameter of your verification file. If a redirect is enabled, you must cancel the related settings to disable the redirect. You can run the
wget -S <URL>
command to check whether a redirect is enabled for the URL.If you apply for a certificate of a brand other than Chinese brands, such as DigiCert and GlobalSign, make sure that your DNS server can be accessed from outside the Chinese mainland. We recommend that you temporarily add the IP address of the CA to the whitelist of your DNS server. This way, the CA can access your DNS server and complete domain name ownership verification. For more information about how to obtain the IP address of a CA, contact your account manager.
If your domain name is a first-level domain name such as
aliyundoc.com
, make sure that the URL of the verification file for the second-level domain name that starts withwww.
can also be accessed. For example, if your first-level domain name isaliyundoc.com
, make sure that bothhttp://aliyundoc.com/.well-known/pki-validation/fileauth.txt
andhttp://www.aliyundoc.com/.well-known/pki-validation/fileauth.txt
can be accessed. Otherwise, the domain name ownership verification fails.If your domain name is a second-level domain name that starts with
www.
, such aswww.example.com
, make sure that its first-level domain name can be accessed. For example, if your second-level domain name iswww.example.com
, make sure that bothhttp://www.example.com/.well-known/pki-validation/fileauth.txt
andhttp://example.com/.well-known/pki-validation/fileauth.txt
can be accessed. Otherwise, the domain name ownership verification fails.
Procedure:
After you submit the certificate application, click verification file in the Download Verification File step to download a verification file package to your computer and decompress the package.
A ZIP package is downloaded. After the package is decompressed, you can obtain the verification file fileauth.txt. The file is valid only for three calendar days after it is downloaded. If you do not complete domain name ownership verification within the validity period, you must download the verification file again.
ImportantAfter you obtain the verification file, do not perform operations on the file. For example, do not open, edit, or rename the file.
Configure settings for file verification on your web server. In this example, an Elastic Compute Service (ECS) Linux instance on which NGINX is installed is used.
NoteWe recommend that you seek help from the server administrator.
Connect to the ECS instance. For more information, see Connect to an ECS instance.
Run the following commands in sequence to create a verification directory named .well-known/pki-validation/ in the web root directory of the ECS instance. The default web root directory for NGINX is /var/www/html/.
cd /var/www/html mkdir -p .well-known/pki-validation
Upload the verification file fileauth.txt to the verification directory /var/www/html/.well-known/pki-validation/.
You can upload the file by using the file upload feature of a remote logon tool, such as PuTTY, Xshell, and WinSCP. For more information about how to upload a file to an Alibaba Cloud Elastic Compute Service (ECS) instance, see Upload files to or download files from a Windows instance or Upload a file to a Linux instance.
ImportantWe recommend that you do not delete the verification file until the certificate is issued. If you delete the verification file before the certificate is issued, the certificate fails to be issued.
After you upload the verification file fileauth.txt, return to the Apply for Certificate panel in the Certificate Management Service console. Then, check whether the URLs specified by the HTTPS Address and HTTP Address parameters are accessible.
In the Certificate Management Service console, latency exists in file verification. If the No file found. message appears after you click Verify, you need to wait. If the verification is not complete after one business day, check whether the verification file that you upload is valid. The verification result displayed in the Certificate Management Service console is for reference only. The actual verification and issuance results provided by the CA shall prevail. In most cases, the CA completes review and issuance within one to two business days.