DV (domain validation) for COMODO certificates

For all Comodo SSL certificates, domain validation is required. By default, this is done by e-mail based validation, but through our API you can change this to one of the other validation methods. The respective commands and parameters are available at; this article explains the methods in more detail. In case of a multi-domain SSL certificate, each separate (sub) domain will start it's own validation process.

  • E-mail based validation will send an e-mail to an e-mail address that is undeniably linked to the domain name that the SSL certificate(s) will secure. This e-mail contains a link that the recipient should click to validate the certificate. The following so-called "approver e-mail addresses" are accepted (and can be retrieved via the retrieveApproverEmailListSslCertRequest API command):
    • admin@, followed by the (sub) domain of the certificate
    • administrator@, followed by the (sub) domain of the certificate
    • postmaster@, followed by the (sub) domain of the certificate
    • hostmaster@, followed by the (sub) domain of the certificate
    • webmaster@, followed by the (sub) domain of the certificate
    • The owner or admin contact's e-mail address if it can be retrieved through a port-43 whois query.

  • DNS based validation requires a special CNAME record to exist. This CNAME record contains the MD5 hash value of your CSR in its name and the SHA1 hash value in its contents. Two examples (for a wildcard certificate, put the record on the root domain, e.g. use for a certification on *

    <md5> CNAME <sha1>
    <md5> CNAME <sha1>
  • HTTP and HTTPS based validation require a special file to exist. The name of this file contains the (uppercase!) MD5 hash value of your CSR and the file contents contains the SHA1 hash value of your CSR plus Two examples:

    http(s)://<uppercase MD5>.txt

    http(s)://<uppercase MD5>.txt

    Note that validation will fail if redirection is in place.

The MD5 and SHA1 hash values for your certificate can be retrieved via the retrieveOrderSslCertRequest API command.

You can also generate the MD5 and SHA1 with the following OpenSSL commands:

  • openssl req -in key.csr -outform DER|openssl md5
  • openssl req -in key.csr -outform DER|openssl sha1
Was this article helpful?
0 out of 0 found this helpful
Have more questions? Submit a request


Please sign in to leave a comment.