All Products
Search
Document Center

Certificate Management Service:Verify the ownership of a domain name

Last Updated:Mar 18, 2024

Before a certificate authority (CA) issues a certificate for your website, you must verify that you own or can manage the domain name bound to the certificate. After you submit a certificate application, you can prove your ownership of the domain name bound to the certificate by using the Domain Name System (DNS), file, or email method. This topic describes the rules and process of domain name ownership verification.

Verification methods

Note

The following table describes the methods of domain name ownership verification for different types of certificates and how to complete verification by using each method.

Certificate type

Scenario

Verification method

Time required for certificate issuance

Domain validated (DV) certificate

Alibaba Cloud DNS is activated for the Alibaba Cloud account of the certificate applicant

Automatic DNS verification: Alibaba Cloud automatically identifies the domain name that meets conditions and adds a TXT record for the domain name in the Alibaba Cloud DNS console for domain name ownership verification. You need to only wait for the certificate to be issued. For more information, see Alibaba Cloud DNS is activated for the Alibaba Cloud account of the certificate applicant.

If the specified information is correct, the CA completes review and issuance within one to two business days.

Alibaba Cloud DNS is not activated for the Alibaba Cloud account of the certificate applicant

  • Manual DNS verification: You must manually add a TXT record for your domain name in the system of your DNS service provider to complete verification. For more information, see Manual DNS verification.

  • File verification: You must manually download a dedicated verification file from the Certificate Management Service console and upload the file to the required verification directory of your web server. For more information, see File verification.

Organization validated (OV) or extended validation (EV) certificate

All scenarios

Email verification: After you submit a certificate application for an OV or EV certificate, the CA staff calls the mobile phone number that you specify or sends a verification email to the email address that you specify in the certificate application within one business day. The time varies based on the location of the CA. Statutory holidays are excluded. We recommend that you complete the verification based on the verification method provided in the email and cooperate with the CA to complete the verification.

If the specified information is correct and you cooperate with the CA staff during the verification process, the CA completes review and issuance within three to seven business days.

Alibaba Cloud DNS is activated for the Alibaba Cloud account of the certificate applicant

If Alibaba Cloud DNS is activated for the Alibaba Cloud account of the certificate applicant and a DV certificate is applied for, Alibaba Cloud automatically identifies the domain name and selects the Automatic DNS Verification method. You cannot change the verification method. After you submit the certificate application, Alibaba Cloud automatically adds a TXT record for the domain name in the Alibaba Cloud DNS console for domain name ownership verification.

After the TXT record takes effect, the No DNS record is found. message may appear when you click Verify in the Certificate Management Service console. This is because latency exists when the Certificate Management Service console verifies the TXT record. The verification result displayed in the Certificate Management Service console is for reference only. The actual verification and issuance results provided by the CA shall prevail. In most cases, the CA completes review and issuance within one to two business days.

Important
  • If the DNS records of your domain name include a Certification Authority Authorization (CAA) record, check whether the CA specified in the CAA record matches the brand of your certificate. If no, you must delete the CAA record. Otherwise, the certificate is not issued.

  • Before a certificate is issued, do not delete the record that you add. Otherwise, the certificate fails to be issued.

Alibaba Cloud DNS is not activated for the Alibaba Cloud account of the certificate applicant

If Alibaba Cloud DNS is not activated for the Alibaba Cloud account of the certificate applicant and a DV certificate is applied for, Alibaba Cloud supports the following verification methods:

Manual DNS verification

If you want to perform manual DNS verification, make sure the DV certificate is bound to a single domain name or a wildcard domain name and you have permissions to modify the DNS records of the domain name. If you use this method, you must manually add a TXT record for the domain name in the system of your DNS service provider. The administrative rights on a domain name is required to modify the DNS records of the domain name. Procedure:

  1. In the Verify Information step of the Apply for Certificate panel, obtain the verification information.

    image.png

  2. Log on to the system of your DNS service provider and add a DNS record for your domain name.

    The following example demonstrates how to add a DNS record for a domain name in the Alibaba Cloud DNS console. If the domain name is registered with a third-party DNS service provider, go to the website of the DNS service provider and add a DNS record for the domain name.

    1. Log on to the Alibaba Cloud DNS console by using the Alibaba Cloud account of the domain name owner.

    2. On the Domain Name Resolution page, find the domain name that is bound to the certificate and click the domain name.

    3. On the DNS Settings page, click Add DNS Record.

    4. In the Add DNS Record panel, add the verification information that is obtained in Step 1 to the configuration items shown in the following figure. Then, click OK.

      The following left figure shows the Certificate Management Service console, and the following right figure shows the Alibaba Cloud DNS console.

      image.png

      After you add the DNS record, you can view it in the record list.

      • The newly added DNS record immediately takes effect.

      • If you delete or modify the DNS record, the operation takes effect after the time-to-live (TTL) of the DNS record that is stored in the local DNS cache. In most cases, the default TTL is 10 minutes.

      • If you change your DNS server information, the operation takes effect in 48 hours by default. For example, if you replace your DNS service with Alibaba Cloud DNS and configured DNS records, the change takes effect after 48 hours.

      Important

      Before a certificate is issued, do not delete the record that you add. Otherwise, the certificate fails to be issued.

  3. After you add the DNS record, return to the Verify Information step in the Certificate Management Service console and click Verify.

    After the TXT record takes effect, the No DNS record is found. message may appear when you click Verify in the Certificate Management Service console. This is because latency exists when the Certificate Management Service console verifies the TXT record. The verification result displayed in the Certificate Management Service console is for reference only. The actual verification and issuance results provided by the CA shall prevail. In most cases, the CA completes review and issuance within one to two business days.

    Important

    If the DNS records include a CAA record, check whether the CA specified in the CAA record matches the brand of your certificate. If no, you must delete the CAA record. Otherwise, the certificate is not issued. For more information about domain name ownership verification, see FAQ about domain name ownership verification.

File verification

If you want to perform file verification, make sure that the DV certificate is bound to a single domain name, such as aliyundoc.com. After you submit a certificate application, you must manually download a dedicated verification file and upload the file to the verification directory .well-known/pki-validation/ of your web server. The CA attempts to access the HTTPS URL and HTTP URL of the verification file over ports 443 and 80 in sequence. If a URL can be accessed, the verification is successful. Then, the CA issues the certificate.

Important
  • A CA can initiate verification requests only over ports 80 and 443. Make sure that ports 80 and 443 are enabled on your web server.

  • If the HTTPS service is enabled on your web server, make sure that the HTTPS Address of your verification file can be accessed and the certificate is trusted. Otherwise, we recommend that you temporarily disable the HTTPS service on the web server to prevent the verification from being affected. If no HTTPS service is configured on your web server, make sure that the HTTP Address of your verification file can be accessed.

  • Make sure that no 301 redirect or 302 redirect is enabled for the HTTPS Address or HTTP Address of your verification file. If a redirect is enabled, you must cancel the related settings to disable the redirect. You can run the wget -S <URL> command to check whether a redirect is enabled for the URL.

  • If you apply for a certificate of a brand other than Chinese brands, such as DigiCert and GlobalSign, make sure that your DNS server can be accessed from outside the Chinese mainland. We recommend that you temporarily add the IP address of the CA to the whitelist of your DNS server. This way, the CA can access your DNS server and complete domain name ownership verification. For more information about how to obtain the IP address of a CA, contact your account manager.

  • If your domain name is a first-level domain name such as aliyundoc.com, make sure that the URL of the verification file for the second-level domain name that starts with www. can also be accessed. For example, if your first-level domain name is aliyundoc.com, make sure that both http://aliyundoc.com/.well-known/pki-validation/fileauth.txt and http://www.aliyundoc.com/.well-known/pki-validation/fileauth.txt can be accessed. Otherwise, the domain name ownership verification fails.

  • If your domain name is a second-level domain name that starts with www., such as www.example.com, make sure that its first-level domain name can be accessed. For example, if your second-level domain name is www.example.com, make sure that both http://www.example.com/.well-known/pki-validation/fileauth.txt and http://example.com/.well-known/pki-validation/fileauth.txt can be accessed. Otherwise, the domain name ownership verification fails.

Procedure:

  1. In the Download Verification File step, click verification file to download a verification file package to your computer and decompress the package.

    image.png

    A ZIP package is downloaded. After the package is decompressed, you can obtain the verification file fileauth.txt. The file is valid only for three calendar days after it is downloaded. If you do not complete domain name ownership verification within the validity period, you must download the verification file again.

    Important

    After you obtain the verification file, do not perform operations on the file. For example, do not open, edit, or rename the file.

  2. Configure settings for file verification on your web server. In this example, an Elastic Compute Service (ECS) Linux instance on which NGINX is installed is used.

    Note

    We recommend that you seek help from the server administrator.

    1. Connect to the ECS instance. For more information, see Connect to an ECS instance.

    2. Run the following commands in sequence to create a verification directory named .well-known/pki-validation/ in the web root directory of the ECS instance. The default web root directory for NGINX is /var/www/html/.

      cd /var/www/html
      mkdir -p .well-known/pki-validation
    3. Upload the verification file fileauth.txt to the verification directory /var/www/html/.well-known/pki-validation/.

      You can upload the file by using the file upload feature of a remote logon tool, such as PuTTY, Xshell, and WinSCP. For more information about how to upload a file to an Alibaba Cloud Elastic Compute Service instance, see Use mstsc.exe to upload a file to a Windows instance or Upload a file to a Linux instance.

      Important

      We recommend that you do not delete the verification file until the certificate is issued. If you delete the verification file before the certificate is issued, the certificate fails to be issued.

  3. After you upload the verification file fileauth.txt, return to the Apply for Certificate panel in the Certificate Management Service console. Then, check whether the HTTPS Address and HTTP Address can be accessed.

    In the Certificate Management Service console, latency exists in file verification. If the No file found. message appears after you click Verify, you need to wait. If the verification is not complete after one business day, check whether the verification file that you upload is valid. The verification result displayed in the Certificate Management Service console is for reference only. The actual verification and issuance results provided by the CA shall prevail. In most cases, the CA completes review and issuance within one to two business days.

FAQ