All Products
Search

This Product

    Edge Security Acceleration:Delegated DCV

    Document Center

    Edge Security Acceleration:Delegated DCV

    Last Updated:Apr 15, 2025

    You can delegate DCV to Edge Security Acceleration (ESA) to obtain a certificate for a domain name whose authoritative DNS is not provided by ESA.

    What is DCV delegation?

    DCV is the process by which a certification authority (CA) requires an applicant to verify control over a domain before issuing a certificate for it.

    Configuring a CNAME record in your website's authoritative DNS allows ESA to verify domain control on your behalf. DCV delegation automates issuing and renewing free certificates.

    When to use it

    • For websites added by CNAME setup where domains without certificates are not resolved to ESA, ESA offers HTTP-based verification information when you apply for a certificate for a domain. This information is only valid for one hour.

      To prevent expiration, or if you prefer not to deploy HTTP verification files, we recommend configuring delegated DCV.

    • For websites added by NS setup that are not activated, ESA provides DNS record-based verification information when you apply for a certificate for a domain. This information is only valid for one hour.

      To prevent expiration, you can configure delegated DCV before applying for the certificate.

    Setup

    To set up delegated DCV, follow these steps:

    1. In the ESA console, choose Websites and click the website name you want to manage.

    2. In the left-side navigation pane, choose SSL/TLS > Edge Certificates.

    3. In the Delegated DCV section, copy the CNAME information.

      image

    4. Log on to the Alibaba Cloud DNS console.

    5. In the navigation pane on the left, click Authoritative DNS Resolution.

    6. On the Authoritative DNS Resolution page, find the second-level domain corresponding to the website you added above, and click DNS Settings.

      image

    7. On the DNS Settings page, click Add Record. Select CNAME for the Record Type, and fill in the Hostname and Record Value with the content copied in step 3. Click OK.

      image

      Important

      For websites added to ESA via CNAME setup, after completing certificate applications using delegated DCV, do not delete the DCV information from your DNS provider. Removing it may cause future certificate renewal failures.

    Verify the setup

    If your certificate includes multiple domain names, you must configure CNAME records for each domain separately. Use the following command to confirm whether the CNAME record configuration is effective.

    #Replace <hostname> with your domain name
dig _acme-challenge.<hostname> CNAME

    Expected results:

    QUESTION SECTION (the request part): _acme-challenge.a.example.com.

    ANSWER SECTION (the response part): a.example.com.******728815680.dcv.aliyun-esa.com.

    If the response part matches the record value you configured, this indicates that the configuration is effective.

    Note

    The configurations may take a few minutes to take effect. If they do not, please try again.

    image