The verification of domain name ownership is referred to as domain name verification. This operation verifies whether you own the domain name that you bind to an SSL certificate when you apply for the certificate. This topic describes how to complete domain name verification.

Background information

The time that is required to complete domain name verification varies based on the type of the certificate that you apply for.
  • DV certificates

    When you apply for a domain validated (DV) certificate, you must complete domain name verification as prompted in the Certificate Management Service console before you can submit a certificate application in the console.

    The following table describes the verification methods that are supported by Certificate Management Service and the prerequisites for using each method.
    Verification method Description Prerequisite
    Automatic DNS verification If you use this method, Certificate Management Service is authorized to modify the DNS records of your domain name. Certificate Management Service automatically adds a TXT record to the DNS records of your domain name for verification. You do not need to manually modify the DNS records of your domain name.

    If the certificate authority (CA) verifies that the TXT record can be resolved, the verification is successful.

    The domain name that you bind to the certificate must be a domain name that is registered with Alibaba Cloud. The registration must be performed by the Alibaba Cloud account that you use to submit the certificate application.

    You can view the domain names registered by the current Alibaba Cloud account on the Domain Names page in the Alibaba Cloud Domains console.

    Manual DNS verification If you use this method, you must manually modify the DNS records of your domain name. You must manually add a TXT record to the DNS records of your domain name for verification.

    If the CA verifies that the TXT record can be resolved, the verification is successful.

    The domain name is registered with a third-party platform. You must have permissions to modify the DNS records of the domain name. The administrative rights on the domain name are required in this situation.
    File verification If you use this method, you must manually download a proprietary verification file from the Certificate Management Service console and upload the file to a specified verification directory of your web server.

    If the CA verifies that the directory of the proprietary verification file can be accessed, the verification is successful.

    • The domain name that you bind to the certificate is a single domain name.

      If you apply for a wildcard certificate, you cannot use this method.

    • The domain name is registered with a third-party platform. You must have permissions to write content to the root directory of the server on which your website is deployed. The administrative rights on the server are required in this situation.
    • Ports 80 and 443 are enabled for the server. HTTP traffic and HTTPS traffic can be monitored.
      Notice The CA can initiate authentication requests only to ports 80 and 443. If ports 80 and 443 are not enabled for your server, do not use the file verification method.
  • OV or EV certificates

    When you apply for an organization validated (OV) or extended validation (EV) certificate, you can directly submit the certificate application. After you submit the certificate application and receive an email from the CA, you need to complete the domain name verification by following the verification steps described in the email.

DV certificates

When you apply for a DV certificate, you must perform the following steps to complete domain name verification based on the value that you specify for Domain Verification Method.

Automatic or manual DNS verification

  1. Log on to the SSL Certificates Service console. Then, go to the domain name verification step.
    You can go to the domain name verification step by using one of the following methods:
    • Submit an application for a DV certificate. After you specify the application information, the system displays the domain name verification step.
    • In the certificate list, find a DV certificate that is in the Pending Verification state and click Verify in the Actions column. Then, the system displays the domain name verification step.
  2. If you set Domain Verification Method to Automatic DNS Verification in the Enter Application step, click Verify. If you set Domain Verification Method to Manual DNS Verification in the Enter Application step, add a TXT record to the DNS records of the domain name and click Verify. You can add the TXT record based on the information displayed in the Verify Information step. Manual DNS verification
    In the following example, Alibaba Cloud DNS is used to demonstrate how to add a TXT record to the DNS records of a domain name:
    Note If a domain name is registered with a third-party platform, log on to the system of the platform and add a TXT record to the DNS records of the domain name.
    1. Log on to the Alibaba Cloud DNS console.
    2. On the Manage DNS page, click the domain name for which you want to add a TXT record.
    3. On the DNS Settings page, click Add Record.
    4. In the Add Record panel, add the specified TXT record by following the instructions in the Verify Information step in the Certificate Management Service console. Then, click Confirm. Add Record
      After the TXT record is added, the TXT record appears in the record list. By default, the TXT record takes effect, and the value of Status is Normal. TXT record added

      After you add the TXT record, return to the Certificate Management Service console and click Verify in the Verify Information step.

  3. After the verification succeeds, click Submit. Verified successfully
    If the verification fails, refresh the page and perform the verification again.
  4. Wait for the CA to review the certificate application.
    The CA issues the certificate to you only after the CA approves your certificate application. In the certificate list, you can view the progress of the certificate application that you submit or obtain the issued certificate.

    If your certificate application is rejected, you must troubleshoot the issue by following the instructions provided in the certificate list.

  5. After the certificate is issued, delete the TXT record that you added in Step 2.
    Notice If Automatic DNS Verification is selected, Certificate Management Service automatically adds a TXT record to the DNS records of the domain name. However, Certificate Management Service does not automatically delete the TXT record after the certificate is issued. We recommend that you manually delete the TXT record after the certificate is issued.

File verification

  1. Log on to the SSL Certificates Service console. Then, go to the domain name verification step.
    You can go to the domain name verification step by using one of the following methods:
    • Submit an application for a DV certificate. After you specify the application information, the system displays the domain name verification step.
    • In the certificate list, find a DV certificate that is in the Pending Verification state and click Verify in the Actions column. Then, the system displays the domain name verification step.
  2. If you set Domain Verification Method to File Verification in the Enter Application step, follow the instructions provided in the Verify Information step to create a verification directory named .well-known/pki-validation in the root directory of the web application on your server and upload the unique verification file fileauth.txt to the verification directory.
    After the preceding configuration is complete, enter https://<yourdomain>.com/.well-known/pki-validation/fileauth.txt or http://<yourdomain>.com/.well-known/pki-validation/fileauth.txt in a browser to access the unique verification file. If the unique verification file can be accessed, the verification is successful. File verification
    The procedure to perform the configuration varies based on the operating systems of servers and the directory structures of web applications. In the following example, NGINX installed on a Linux Elastic Compute Service (ECS) instance is used to demonstrate how to upload the unique verification file to verify the ownership of a domain name.
    Note We recommend that you seek help from the server administrator.
    1. Click unique verification file to download a package to your computer and decompress the package.
      A ZIP package is downloaded. After the package is decompressed, you can obtain the unique verification file fileauth.txt. The file is valid only for three days after it is downloaded. If you fail to complete the file verification within three days, you must download the unique verification file again.
      Notice After you extract the unique verification file, do not perform operations on the file. For example, do not open, edit, or rename the file.
    2. Connect to your server.
      For more information, see Connect to an ECS instance.
    3. Run the following commands to create a verification directory named .well-known/pki-validation/ in the root directory of the web application on the server. The default root directory for NGINX is var/www/html/.
      cd /var/www/html
      mkdir .well-known
      cd .well-known
      mkdir pki-validation
      cd pki-validation
    4. Use Cloud Assistant to upload the unique verification file fileauth.txt to the verification directory var/www/html/.well-known/pki-validation/.
      For more information, see Upload files to ECS instances.
    5. Run the following command to verify whether the unique verification file is uploaded to the verification directory:
      ls

      If fileauth.txt is included in the command output, the unique verification file is uploaded to the verification directory.

  3. Click Verify.
    The CA attempts to access https://<yourdomain>.com/.well-known/pki-validation/fileauth.txt and http://<yourdomain>.com/.well-known/pki-validation/fileauth.txt in turn to verify whether the unique verification file is correctly configured. If the preceding URLs can be accessed, the verification is successful.
    Notice If the HTTPS service is enabled for your domain name, make sure that the preceding HTTPS URL is accessible and the certificate is trusted. Otherwise, we recommend that you temporarily disable the HTTPS service for the domain name to prevent the verification from being affected.
  4. After the verification succeeds, click Submit. Verified successfully
    If the verification fails, refresh the page and perform the verification again.
  5. Wait for the CA to review the certificate application.
    The CA issues the certificate to you only after the CA approves your certificate application. In the certificate list, you can view the progress of the certificate application that you submit or obtain the issued certificate.

    If your certificate application is rejected, you must troubleshoot the issue by following the instructions provided in the certificate list.

  6. After the certificate is issued, delete the unique verification file that you uploaded in Step 2.

OV or EV certificates

After you submit a certificate application for an OV or EV certificate in the Certificate Management Service console, the CA sends an email to the address that you specify when you apply for the certificate within one business day. The actual time varies based on the location of the CA. No emails are sent in holidays. You must check your mailbox for the email sent by the CA in a timely manner. After you receive the email, you must complete domain name verification based on the steps in the email. If you encounter a problem during verification, you can reply to the email or submit a ticket for technical support.