The “unique value” in domain validation is a randomly generated string of characters used to prove domain ownership. It’s typically placed in a specific file on your web server or in a DNS record. Certificate Authorities (CAs) check for this value to confirm you control the domain before issuing an SSL/TLS certificate
What is Domain Validation (DV)?
Domain Validation is the most basic level of validation for SSL/TLS certificates. It verifies that the person requesting the certificate has control over the domain in question. This process is automated and typically faster and less expensive than other validation types.
The Role of the Unique Value
The unique value serves as a temporary, one-time proof of domain control. Here’s how it works:
- When you request a DV certificate, the CA generates a random, unique value.
- You’re instructed to place this value in a specific location associated with your domain.
- The CA checks for the presence of this value to confirm your control over the domain.
- Once verified, the CA issues your SSL/TLS certificate.
Common Methods for Using the Unique Value
There are several ways to use the unique value for domain validation:
- HTTP File Upload: Place a file containing the unique value on your web server.
- DNS TXT Record: Add the unique value as a TXT record in your domain’s DNS settings.
- Email Verification: Receive an email with the unique value at a standard administrative address for your domain.
Let’s explore each method in more detail:
1. HTTP File Upload
This method involves creating a file with a specific name containing the unique value and uploading it to a predetermined location on your web server.
Steps:
- Receive the unique value and filename from the CA.
- Create a file with the given name (e.g., “example.txt”).
- Place the unique value in this file.
- Upload the file to the specified directory (usually “/.well-known/pki-validation/”).
- The CA will attempt to access this file to verify domain control.
Example:
File: /.well-known/pki-validation/example.txt Content: f3k9d8s7h2l1m4n6p0q5r
For more info on this method see HTTP/HTTPS file lookup
2. DNS TXT Record
This method requires adding a TXT record to your domain’s DNS settings.
Steps:
- Receive the unique value from the CA.
- Access your domain’s DNS settings.
- Add a new TXT record with the unique value.
- Wait for DNS propagation (can take up to 48 hours).
- The CA will query your DNS to verify the presence of the unique value.
Example:
Type: TXT Host: _acme-challenge Value: f3k9d8s7h2l1m4n6p0q5r
For more info on this method see DNS CNAME lookup.
3. Email Verification
This method involves receiving an email containing the unique value at a standard administrative email address for your domain.
Steps:
- The CA sends an email to addresses like admin@, administrator@, hostmaster@, postmaster@, or webmaster@ your domain.
- You receive the email containing the unique value and verification link.
- Click the link or enter the unique value on the CA’s verification page.
Example Email:
From: noreply@certificateauthority.com To: admin@yourdomain.com Subject: Domain Validation for SSL/TLS Certificate ? Please verify your domain ownership by clicking the link below or entering the following unique value on our verification page: ? Unique Value: f3k9d8s7h2l1m4n6p0q5r Verification Link: https://ca.com/verify?token=abc123
For more info on this method see Email Challenge Response.
What is the “unique value” used for?
The “unique value” (or “unique token”) referred to in SSL.com’s domain validation (DV) documentation is used for compliance with Section 3.2.2.4 (Validation of Domain Authorization or Control) of the CA/Browser Forum’s Baseline Requirements. These requirements stipulate that a “Request Token or Random Value” appear in a file stored in a particular directory of the website that is to be protected by an SSL/TLS certificate (normally /.well-known/pki-validation/
), or as part of a DNS record for the domain name to be validated, serving to ensure the uniqueness of the request.
When performing domain validation in SSL.com’s online portal, a random value will made available to the user for this purpose, along with a pre-formatted text file and DNS record for use with the HTTP/HTTPS file lookup and DNS CNAME lookup methods. Please refer to SSL.com’s DV requirements documentation for full details of the available DV methods.
If you are using SSL.com’s SWS API to perform domain validation, you may specify a unique value via the optional unique_value
parameter in your request. If you do not supply the unique value via the API, a random value will be automatically generated for you. For complete information, please refer to our API documentation.
Do I need to use a new unique value when I reprocess a certificate or order a certificate for a prevalidated domain name?
The unique value is required at the time that domain control is validated. Therefore, if you add a new domain name when reprocessing a multi-domain certificate and wish to use the DNS CNAME lookup or HTTP/HTTPS file lookup validation method, you will need to create a new CNAME or validation file, with a new unique value.
If you have prevalidated a domain name via the CNAME or File Lookup methods, a new DNS record or file with a new unique value is not required when ordering a certificate for it.
Why is the Unique Value Important?
The unique value plays a critical role in the security of the SSL/TLS ecosystem:
- Proof of Control: It demonstrates that you have current access to and control over the domain.
- Prevents Unauthorized Issuance: It stops malicious actors from obtaining certificates for domains they don’t own.
- Automation: It allows for quick, automated validation without manual intervention.
- Standardization: It provides a consistent method for CAs to verify domain control across different platforms and technologies.
Best Practices for Handling the Unique Value
To ensure a smooth validation process:
- Act Quickly: Use the unique value promptly, as it may expire after a certain period.
- Double-Check: Verify that you have placed the value correctly before initiating the CA’s check.
- Temporary Use: Remove the unique value after successful validation to maintain clean DNS records or web directories.
- Secure Access: Ensure only authorized personnel can modify DNS records or upload files to your web server.
Troubleshooting Common Issues
If you encounter problems during domain validation:
- File Not Found: Ensure the file is in the correct location and accessible via HTTP/HTTPS.
- DNS Propagation: Allow sufficient time for DNS changes to propagate globally.
- Email Issues: Check spam folders and ensure your email system accepts messages from the CA.
- Firewall Blocks: Verify that your firewall isn’t blocking the CA’s validation attempts.
Conclusion
Understanding the unique value used in domain validation is crucial for anyone managing SSL/TLS certificates. By following the methods outlined in this article, you can easily prove your domain ownership and secure your website with HTTPS. Remember, the specific steps may vary slightly between Certificate Authorities, so always follow the instructions provided carefully.
For more information on SSL/TLS certificates and web security, visit SSL.com’s resource center or contact our support team for personalized assistance.