For all Comodo (Sectigo) SSL certificates, domain validation is required. By default, this is done by e-mail based validation, but through our API you can change this to one of the other validation methods. The respective commands and parameters are available in KB; this article explains the methods in more detail. In case of a multi-domain SSL certificate, each separate (sub) domain will start it's own validation process.
E-mail based validation
Will send an e-mail to an e-mail address that is undeniably linked to the domain name that the SSL certificate(s) will secure. This e-mail contains a link that the recipient should click to validate the certificate. The following so-called "approver e-mail addresses" are accepted (and can be retrieved via the retrieveApproverEmailListSslCertRequest API command):
- admin@, followed by the (sub) domain of the certificate
- administrator@, followed by the (sub) domain of the certificate
- postmaster@, followed by the (sub) domain of the certificate
- hostmaster@, followed by the (sub) domain of the certificate
- webmaster@, followed by the (sub) domain of the certificate
The owner or admin contact's e-mail address if it can be returned in a WHOIS response.
DNS based validation
It requires a special CNAME record to exist. This CNAME record contains the MD5 hash value of your CSR in its name and the SHA256 hash value, plus random unique value from CA in its contents. Two examples (for a wildcard certificate, put the record on the root domain, e.g. use domain.com for a certification on *.domain.com):
<md5>.yourdomain.com. CNAME <sha256> . <unique value>.comodoca.com.
<md5>.sub.yourdomain.com. CNAME <sha256> . <unique value>.comodoca.com.
HTTP and HTTPS based validation
Require a special file to exist. The name of this file contains the (uppercase!) MD5 hash value of your CSR and the file contents contains the SHA1 hash value of your CSR plus comodoca.com. Two examples:
Note that validation will fail if redirection is in place.
The MD5 and SHA256 hash values for your certificate can be retrieved via the retrieveOrderSslCertRequest API command.
You can also generate the MD5 and SHA256 with the following OpenSSL commands:
- openssl req -in key.csr -outform DER|openssl md5
- openssl req -in key.csr -outform DER|openssl sha256
But please note you won't receive <unique value> from CA. It is generated on CA side and can not be generated locally.