Streamlining the Domain Validation Processes for Efficiency
Navigating the domain validation process during an SSL certificate enrollment can be challenging due to unexpected obstacles.
This comprehensive guide offers effective troubleshooting strategies to ensure a seamless and efficient validation process. Whether facing email verification issues or DNS configuration problems, these tips will help you overcome common snags and streamline your domain validation efforts.
Possible Email Issues
WHOIS
The Certification Authority may use for DCV the email address reported in whois for the domain that will be covered by the requested SSL certificate.
If the WHOIS record is private or has a masked email, it will be not easy to trace where a DCV email has been sent.
Depending on the host, users may be able to forward masked WHOIS emails to a real inbox.
Whois Email cannot be automatically pulled by the validation system
In some cases, the validation system is not able to recognize WHOIS email addresses. The CA may not be able to add a WHOIS email if it is not recognized automatically, so the email address cannot be used for DCV.
Domain scope
Emails may go to a subdomain instead of the base domain.
The alias email addresses are built on the “domain scope” which is usually based on the exact common name of the CSR. If your common name is a subdomain, such as sub.domain.com, the system may only show options such as admin@sub.domain.com instead of admin@domain.com for DCV.
During generation, users may adjust the domain scope (these options depend on what kind of SSL it is):
• Select the “Base Domain” as the domain scope
• Click “Retrieve All Emails” or “Retrieve WHOIS Emails” button to add base domain options
After generation, support may be able to resend DCV emails to the correct domain address.
Possible File Authentication Issues
File authentication is not possible for wildcard SSL certificates!
It may be used just for single-host or SAn certificates.
Validating www domains
All unique domains including www must be validated separately.
Validation instructions may not indicate if the www for the domain name is included on the request, or if it still needs to be validated.
During generation, you may have the option to “include www.your-domain and domain.com”. We recommend unchecking this option if your SSL is for a subdomain, or if you know the www version doesn’t exist, and it is required to uncheck this option if you’re generating for an IP address.
Expired file values
The authentication value contained in the file will expire after 30 days and will not be automatically updated or removed from the instruction page.
Users can generate a new file by switching to a different DCV method and then back to file, or support can generate a new file for you.
Possible DNS Authentication Issues
Expired DNS values
The DNS authentication values will expire after 30 days and will not be automatically updated or removed from the instruction page.
Users can generate a new value by switching to a different DCV method and then back to DNS, or support can generate a new value for you.
CAA records
Certificate Authority Authorization (CAA) records restrict which Certificate Authorities can issue SSL to the domain.
If any CAA record exists but does not include the CA for the pending certificate, users should either add a new record for that Certification Authority, or remove all CAA records to allow SSL from any Certification Authority.
If CAA is controlled by third-party (e.g. Shopify) users may need to only request SSL from a Certification Authority allowed by the third-party.
Navigating these challenges effectively can streamline your domain validation process, ensuring quick and secure certificate issuances.
