The validation procedure is a fundamental requirement for all SSL Certificates issued by publicly trusted Certificate Authorities (CAs). Before any SSL Certificate can be issued, the Certificate Authority (CA) must verify that the applicant has legitimate control over the domain.
In some cases, the Certificate Authority (CA) must also verify that the organization behind the request is a verified legal entity. This process protects the integrity of the internet by preventing unauthorized parties from obtaining SSL Certificates for domains they do not own.
Trustico® offers three types of SSL Certificates, each with a different level of validation : Domain Validation (DV), Organization Validation (OV), and Extended Validation (EV). The type of SSL Certificate you purchase determines the validation process that must be completed before issuance.
Domain Validation (DV) SSL Certificates require only proof of domain control. Organization Validation (OV) and Extended Validation (EV) SSL Certificates require additional business verification steps.
Select the validation type that applies to your SSL Certificate order to read the specific requirements and methods available for that level. The following sections provide a complete overview of how each validation type works.
Each validation type has its own requirements, supported methods, and typical processing times. The remainder of this page covers Domain Validation (DV), Organization Validation (OV), and Extended Validation (EV) in turn.
Domain Validation (DV) Requirements
Domain Validation (DV) SSL Certificates are authenticated by verifying that the applicant has control over the domain for which the SSL Certificate is being requested. This process is known as Domain Control Validation (DCV) and is an automated procedure that can typically be completed within minutes.
Domain Validation (DV) SSL Certificates do not require any business verification, telephone calls, or documentation.
Trustico® supports four Domain Control Validation (DCV) methods for Domain Validation (DV) SSL Certificates :
Approver E-Mail, Domain Name System (DNS) CNAME record, Domain Name System (DNS) TXT record, and Hypertext Transfer Protocol (HTTP) or Hypertext Transfer Protocol Secure (HTTPS) file based verification.
Once you complete one of the validation methods, your SSL Certificate is issued automatically by the Certificate Authority (CA). Discover Domain Validation (DV) SSL Certificates 🔗
Approver E-Mail Verification Method
E-Mail verification is the most widely used Domain Control Validation (DCV) method. When you order a Domain Validation (DV) SSL Certificate, an approver e-mail address is chosen during the ordering process. The Certificate Authority (CA) sends an Approver E-Mail to the designated address containing a confirmation link and a verification code.
The following pre-approved e-mail addresses can be used for Domain Control Validation (DCV) :
admin@example.com, administrator@example.com, hostmaster@example.com, webmaster@example.com, and postmaster@example.com.
These addresses are defined by the Certificate Authority / Browser Forum (CA/Browser Forum) as acceptable for Domain Control Validation (DCV) purposes.
Important : Applicants must choose one of the five pre-approved e-mail addresses listed above to prove that they administer the domain name for which the SSL Certificate is being ordered. E-Mail addresses at other domains or personal e-mail addresses cannot be used for Domain Control Validation (DCV).
The recipient must follow the instructions in the e-mail, typically by clicking the confirmation link and entering the verification code provided. Since Domain Validation (DV) does not require extensive documentation or manual review, the process can often be completed within minutes of receiving the Approver E-Mail.
If none of the standard pre-approved e-mail addresses are available for your domain, you may be able to configure a _validation-contactemail Domain Name System (DNS) TXT record for your domain.
This record allows the Certificate Authority (CA) to send the validation e-mail to an alternative address that you specify within your Domain Name System (DNS) settings. Learn About E-Mail Address Handling for SSL Certificates 🔗
Note : WHOIS-based e-mail validation was deprecated in two phases during 2025 in accordance with Ballot SC-80v3.
On January 15, 2025, Certificate Authorities (CAs) stopped relying on domain contact information obtained using Hypertext Transfer Protocol Secure (HTTPS) web-based WHOIS lookups.
By July 15, 2025, Certificate Authorities (CAs) stopped relying on WHOIS-based domain validations entirely, including those obtained using the WHOIS protocol, querying the Internet Assigned Numbers Authority (IANA) WHOIS server, and following referrals to the relevant WHOIS server. Only the five pre-approved e-mail addresses or a contact listed in the _validation-contactemail Domain Name System (DNS) record for the domain are now accepted for e-mail based Domain Control Validation (DCV).
Domain Name System (DNS) CNAME Record Verification Method
Domain Name System (DNS) CNAME record verification is an alternative Domain Control Validation (DCV) method that does not require access to any of the pre-approved e-mail addresses.
This method requires you to create a specific CNAME record in your domain's Domain Name System (DNS) settings, which proves your control over the domain and allows the SSL Certificate issuance process to proceed.
The CNAME record is constructed using cryptographic hashes derived from the Certificate Signing Request (CSR) associated with your SSL Certificate order. An MD5 hash and a SHA-256 hash are generated from the DER-encoded Certificate Signing Request (CSR).
The host portion of the CNAME record is an underscore followed by the MD5 hash at your domain. The target is the SHA-256 hash split into two 32-character labels followed by sectigo.com as the canonical name. A unique value may also be included in the record for one-time use verification.
After placing your SSL Certificate order, you can switch to CNAME validation by logging into the Trustico® tracking system and changing the validation preference from Approver E-Mail to CNAME within your order details. Trustico® will provide the exact CNAME record values that need to be added to your Domain Name System (DNS) configuration.
The tracking system is where you change your validation method, check your order status, and retrieve the exact CNAME record values needed for your Domain Name System (DNS) configuration. Your Certificate Authority (CA) Reference number is required to log in. Learn About The Trustico® Tracking System 🔗
Domain Name System (DNS) TXT Record Verification Method
Domain Name System (DNS) TXT record verification is another Domain Name System (DNS) based Domain Control Validation (DCV) method supported by the Certificate Authority (CA).
With this approach, a unique random value token is provided at the time of your SSL Certificate order. You must then create a Domain Name System (DNS) TXT record with the host set to _pki-validation at your domain and the TXT value set to the random token provided.
The token provided for Domain Name System (DNS) TXT validation is valid for 30 days from the date of issuance and may only be used once per SSL Certificate order.
If the token expires before the record is verified by the Certificate Authority (CA), a new token will need to be generated by resubmitting the validation request through the Trustico® tracking system.
Important : Each Domain Name System (DNS) TXT validation token is unique to a specific SSL Certificate order. Reusing a token from a previous order will not work. Always use the exact token value provided for your current order through the Trustico® tracking system.
Hypertext Transfer Protocol (HTTP) and Hypertext Transfer Protocol Secure (HTTPS) File Based Verification Method
File based verification requires the domain owner to upload a specific verification file to a designated directory on the web server. The Certificate Authority (CA) will then check for the presence of this file at a known location to confirm domain ownership. This method is commonly used by web administrators who have direct access to their website's file system.
To complete file based validation, you will need to create a text file named using the MD5 hash value derived from your Certificate Signing Request (CSR).
The contents of this file must include the SHA-256 hash of your Certificate Signing Request (CSR) on the first line, the text "sectigo.com" on the second line, and optionally a unique value on the third line.
The file must be placed at the following path on your web server : http://example.com/.well-known/pki-validation/ or the Hypertext Transfer Protocol Secure (HTTPS) equivalent at https://example.com/.well-known/pki-validation/ using port 80 or port 443 respectively.
The verification file must be plain ASCII text without a Byte Order Mark (BOM). Both CRLF and LF line endings are acceptable.
The web server must be publicly accessible on port 80 for Hypertext Transfer Protocol (HTTP) or port 443 for Hypertext Transfer Protocol Secure (HTTPS) at the time the Certificate Authority (CA) performs the validation check. Discover File Based Authentication for SSL Certificates 🔗
Warning : File based validation cannot be used for Wildcard SSL Certificates. If you are ordering a Wildcard SSL Certificate, you must use either Approver E-Mail or a Domain Name System (DNS) based validation method instead.
Request Tokens and Uniqueness Requirements
Every Domain Control Validation (DCV) request uses a request token to verify domain ownership. This request token is composed of the SHA-256 hash derived from the DER-encoded Certificate Signing Request (CSR), the string "sectigo.com" as an identifier, and optionally a unique value of up to 20 alphanumeric characters.
Request tokens must be unique for each SSL Certificate order. If you reuse a Certificate Signing Request (CSR) from a previous order, the validation may fail unless a unique value or distinguishing attribute is included in the new request.
Trustico® recommends generating a fresh Certificate Signing Request (CSR) for each new SSL Certificate order to avoid potential issues with token uniqueness. Learn About Certificate Signing Requests (CSR) 🔗
Organization Validation (OV) Requirements
Organization Validation (OV) SSL Certificates provide a higher level of trust than Domain Validation (DV) by requiring strict authentication of the organization behind the domain. In addition to completing Domain Control Validation (DCV) using one of the methods described above, the Certificate Authority (CA) must also verify that the organization is a legitimate legal entity.
During the ordering process you must ensure the organization name you specify is an active entity and can be confirmed by the government authority responsible for registering entities within the specific jurisdiction. An exact match between the organization name specified during the order process and the name recorded with the relevant government authority is required.
Organization Validation (OV) SSL Certificates require manual verification by the Certificate Authority (CA), including verification of business registration documents and a telephone call to confirm the order. The validation process typically takes several business days depending on the availability of the required documentation and the responsiveness of the administrative contact.
Discover the full requirements for Organization Validation (OV) SSL Certificates and the detailed step-by-step validation guide using the links below. Learn About Organization Validation (OV) SSL Certificates 🔗
The detailed Organization Validation (OV) guide explains exactly what documentation is required and how to prepare for the verification telephone call. Completing this preparation in advance significantly reduces the time between placing your order and the SSL Certificate being issued.
Extended Validation (EV) Requirements
Extended Validation (EV) SSL Certificates achieve the highest level of consumer trust through the strictest authentication standards of any SSL Certificate. The Extended Validation (EV) verification guidelines require the Certificate Authority (CA) to obtain and verify multiple pieces of identifying information about the organization, including its legal, physical, and operational existence.
An Extended Validation (EV) SSL Certificate offers more than just encryption. It enables the organization behind the website to present a validated identity to website visitors, demonstrating that the entity has been thoroughly verified by the Certificate Authority (CA). This level of verification provides the strongest assurance that the website is operated by a legitimate organization.
The use of an Extended Validation (EV) SSL Certificate prevents fraudulent activity because the Certificate Authority (CA) will only issue an Extended Validation (EV) SSL Certificate to a legitimate entity after thorough verification of legal standing, physical address, and operational status.
To ensure your SSL Certificate request is processed quickly, you will be required to provide authentication documents promptly when requested. Discover Extended Validation (EV) SSL Certificates 🔗
Extended Validation (EV) requirements are the most thorough of any SSL Certificate type and demand careful preparation. The information page and the detailed validation guide below cover everything needed to complete the process successfully.
The detailed Extended Validation (EV) guide walks through each verification step in order. Preparing the required legal, physical, and operational documentation before placing your order is the single biggest factor in how quickly Extended Validation (EV) SSL Certificates can be issued.
Manual Verification for Organization Validation (OV) and Extended Validation (EV)
Organization Validation (OV) and Extended Validation (EV) SSL Certificates require manual verification by the Certificate Authority (CA). When an SSL Certificate product requires manual verification, certain requirements must be met and will be stated within the product information pages on the Trustico® website.
Sample documents that may be required to support the SSL Certificate application include Articles of Incorporation, Fictitious Name or Doing Business As documents, Business Licensing, and other official documentation proving the organization's legal existence. The administrative contact of the order will be contacted for further information if documentation is required.
A verification telephone call with the administrative contact will usually be required before issuance. The telephone number must be publicly listed in an approved telephone directory or verifiable through a third-party source such as Dun and Bradstreet.
Tip : It is recommended that the organization be listed at Dun and Bradstreet, as it is one of the world's leading sources of commercial information and insight on businesses. Certificate Authorities (CAs) rely on Dun and Bradstreet to verify organization details during the Organization Validation (OV) and Extended Validation (EV) process.
The detailed validation guides for Organization Validation (OV) and Extended Validation (EV) cover the full document checklist, telephone verification process, and how to handle situations where additional documents may be requested. The guides are the authoritative reference for what is required at each stage.
Following the detailed validation guides closely is the most effective way to avoid delays. Most issuance delays for Organization Validation (OV) and Extended Validation (EV) SSL Certificates trace back to incomplete or mismatched documentation, both of which the guides help you address upfront.
Validation for Multi-Domain and Wildcard SSL Certificates
All SSL Certificate types, including Single Domain SSL Certificates, Wildcard SSL Certificates, and Multi-Domain SSL Certificates or Unified Communications Certificates (UCC), require Domain Control Validation (DCV).
For Multi-Domain SSL Certificates, each Fully Qualified Domain Name (FQDN) included on the SSL Certificate must be validated individually. Different Domain Control Validation (DCV) methods can be used for different domains within the same Multi-Domain SSL Certificate order.
Important : Each Fully Qualified Domain Name (FQDN) included on an SSL Certificate must be validated individually. The Certificate Authority (CA) no longer considers proof of control of www.example.com as also proving control of example.com, or the reverse.
For Hypertext Transfer Protocol (HTTP) or Hypertext Transfer Protocol Secure (HTTPS) file based validation specifically, when your SSL Certificate covers both the root domain and the www subdomain, the verification file must be reachable at both example.com/.well-known/pki-validation/ and www.example.com/.well-known/pki-validation/.
If the file is only reachable at the root, the www subdomain will be silently excluded from the SSL Certificate at issuance and reissue.
For approver e-mail and Domain Name System (DNS) based methods, validation of the root domain is sufficient to include the www subdomain on the SSL Certificate.
For Wildcard SSL Certificates, file based validation is not available. Wildcard SSL Certificate orders must use either Approver E-Mail or a Domain Name System (DNS) based validation method.
The Trustico® tracking system provides detailed status information for each domain on a Multi-Domain SSL Certificate, allowing you to monitor which domains have been validated and which still require action. Discover Our Multi-Domain SSL Certificate Options 🔗
Order Queuing and Fraud Prevention
In the event an authentication procedure fails, or the system suspects possible fraudulent activity, the SSL Certificate order may be queued for manual review. Occasionally, orders are also randomly queued for manual review as part of the Certificate Authority's quality assurance procedures.
Authentication engines are programmed to automatically flag certain orders for a quality review before issuance. The system evaluates specific information within new and reissue orders, and orders from certain countries or containing certain keywords may be flagged for additional scrutiny.
This process helps to protect both the applicant and the wider internet community from fraudulent SSL Certificate issuance. Learn About Fraud Prevention for SSL Certificates 🔗
Best Practices for the Validation Process
Following best practices during the validation process helps to ensure a smooth and timely SSL Certificate issuance.
Generating a unique Certificate Signing Request (CSR) for each SSL Certificate order prevents token reuse issues and ensures that Domain Control Validation (DCV) proceeds without complications.
If you are using a Domain Name System (DNS) based validation method, verifying that your Domain Name System (DNS) records have propagated correctly before submitting the validation request will help avoid unnecessary delays.
Configuring Certification Authority Authorization (CAA) records in your Domain Name System (DNS) is also recommended. Certification Authority Authorization (CAA) records allow you to specify which Certificate Authorities (CAs) are permitted to issue SSL Certificates for your domain, adding an additional layer of security against unauthorized issuance.
Tip : Completing Domain Control Validation (DCV) promptly after placing your order helps to avoid delays. For Organization Validation (OV) and Extended Validation (EV) SSL Certificates, preparing your business documentation in advance and ensuring your organization's telephone number is publicly listed will help the Certificate Authority (CA) complete verification as quickly as possible.
The Trustico® order tracking system provides all the tools and guidance needed to complete the validation process efficiently. Detailed validation guides covering Organization Validation (OV) and Extended Validation (EV) are available alongside the standard product information pages. Explore Our Reasons to Choose Trustico® for SSL Certificates 🔗
