Domain control validation for certificate requests - Edge Security Acceleration

Domain Control Validation (DCV) is the process by which a Certificate Authority (CA) verifies that you have control over a domain name before issuing a certificate for it. This topic guides you through the DCV for your Edge Security Acceleration (ESA) website's domain name.

Verification methods

By DNS: The CA provides a set of TXT DNS records. Add these records to the authoritative DNS for your domain name. The validation is successful when these TXT DNS records can be queried from the internet.
By HTTP: The CA provides a verification file and a URL. Place the file at the specified URL. The validation is successful when the verification file is accessible from the internet at the specified URL.

Notes

For websites that have switched their DNS resolution to ESA, DCV is automatically completed during the free certificate application process.
- For sites that use NS integration, ESA uses the DNS method for DCV. When you request a free certificate for the site, ESA automatically adds a TXT DNS record for the site to perform this validation.
- For sites connected via CNAME, ESA uses the HTTP method for DCV. When you apply for a free Let's Encrypt certificate for a site, the DCV HTTP request from the CA is handled directly by an ESA point of presence (POP). If you use a free DigiCert certificate, you must configure delegated DCV to ensure certificate issuance and renewal.
For sites that have not switched their DNS resolution to ESA, you must manually complete the DCV using the information that we provide or by using managed DCV when you request a free certificate. For more information, see Manual Domain Control Validation.
Note
The DCV information is valid for one hour. You must complete the configuration within this time limit.

Manual domain control validation

To ensure that only authorized entities can obtain SSL/TLS certificates for a domain name, you must complete the domain control validation. Follow the steps in the relevant section below.

DNS validation method

Note

If your domain name is not provided by Alibaba Cloud, perform steps 6 and 7 in the DNS management console of your domain name provider.

In the ESA console, choose Websites. In the Website column, click the target site.
In the navigation pane on the left, choose SSL/TLS > Edge Certificates.
On the Edge Certificates page, in the Certificate Management section, copy the generated TXT Record Name and TXT Record Content.
Note
If the free certificate you requested includes multiple domain names, the Certificate Validation Information section contains multiple entries. You must configure a record for each entry in your authoritative DNS.
Log on to the Alibaba Cloud DNS console.
In the navigation pane on the left, click Public Zone.
On the Public Zone page, find the second-level domain for your website, and click Settings.
On the Settings page, click Add Record. Set Record Type to TXT. For Hostname, enter the TXT Record Name. For the record value, enter the TXT Record Content. Click OK.

HTTP validation method

In the ESA console, choose Websites. In the Website column, click the target site.
In the navigation pane on the left, choose SSL/TLS > Edge Certificates.
On the Edge Certificates page, in the Certificate Management section, copy the generated HTTP URI and HTTP Content.
On a server that is accessible from the Internet, create a file at the location specified by the HTTP URI. The file must contain the HTTP Content that you copied in Step 3.
Run the curl -v <HTTP_verification_path> command. If the command returns 200 OK, the verification is successful.