Domain Control Validation for the Certificate Orders Issued by Third-Party CA

Domain Control Validation (DCV) is a process in which the Certificate Authority (CA) verifies that you have control over the requested domain before issuing the SSL certificate. This verification occurs when you place a certificate order with a third-party CA. To perform DCV, the CA issues a challenge to verify domain ownership. The challenge format varies depending on the validation method selected by you during the certificate order process:

• An approval email sent to a designated address,
• A challenge file that should be uploaded to the web server, or
• A DNS TXT record that should be added to the domain’s zone file.

Once you complete the challenge, the CA verifies it. If the verification succeeds, the CA issues the SSL/TLS certificate. Key Manager Plus Cloud then fetches the certificate and adds it to the certificate inventory, where it can be managed and further deployed to the endpoint servers.

Key Manager Plus Cloud supports the following DCV methods:

1. Email-based DCV
2. File or HTTP-based DCV
3. DNS-based DCV

For DNS-based DCV, the DNS details should be preconfigured. Refer to this document for detailed instructions.

1. Email-based Domain Control Validation

In this method, the Certificate Authority sends a verification email to the approver email address specified during the certificate order request. The email contains instructions that should be followed to complete the validation process.

After completing the steps in the email:

1. Log in to Key Manager Plus Cloud.
2. Go to the Integrations tab, select the required CA, and check the certificate order status.

If the validation is successful, the CA issues the certificate. The certificate is then automatically fetched into the certificate inventory of Key Manager Plus Cloud.

From the inventory, you can deploy the certificate directly to endpoint servers such as a Certificate Store or IIS server.

2. File or HTTPS-based Domain Control Validation

When you choose file (HTTP/HTTPS)-based DCV, the certificate authority generates a challenge file at the time of order creation. To validate the domain, this file should be placed in the specified path on the domain server.

For Windows servers, this can be performed directly from the Key Manager Plus Cloud interface. Otherwise, you have to place the file on the specified path manually.

Follow these steps to place the file directly from the Key Manage Plus Cloud interface:

1. Navigate to the Integrations tab and select the desired third-party CA.
2. Click Manage >> Deploy and click Add.
   
3. In the pop-up that opens, choose the challenge type as 'http-01', specify the domain name, and choose the agent-installed server from the Server Name/IP Address dropdown.
4. Enter the WebRoot Path and select Certificate, Private Key, or JKS/PKCS.
5. Fill in the required details and click Save.

Once the challenge file is deployed, verify the order status of the certificate under the respective CA in Key Manager Plus Cloud. If the validation is successful, the CA issues the certificate. The issued certificate is then automatically fetched into the SSL >> Certificates inventory, from where it can be managed or deployed to endpoint servers.

3. DNS-based Domain Control Validation

When you choose DNS-based DCV, the CA provides a DNS challenge value and text record at the time of order creation. You should copy these records and manually add them to the domain server. For Windows servers, this verification process can also be carried out from Key Manager Plus Cloud by configuring the server details under Manage >> Deploy.

To perform the DNS-based DCV, follow the steps below:

1. Navigate to the Integrations tab and select the required third-party CA.
2. Click Manage >> Deploy >> Add.
   
3. In the pop-up window that opens, choose the challenge type as 'dns-01', specify the Domain Name, and choose the DNS provider (Azure, Cloudflare, Amazon Route 53 DNS, RFC 2136 Update, GoDaddy DNS, or ClouDNS) from the dropdown.
4. Enter the required details and select the Deploy Certificate checkbox to deploy the certificate to the endpoint server after procurement.
5. Select the agent-installed server from the dropdown and add the certificate, private key, or JKS/PKCS file path as needed.
6. Click Save to complete the DNS challenge process.

The DNS challenge values and text records are automatically created in the configured DNS servers. After the records are validated, check the certificate order status under the respective CA in Key Manager Plus Cloud. If validation succeeds, the CA issues the certificate, which is then fetched and stored in the SSL >> Certificates tab. From here, you can deploy the certificate directly to endpoint servers such as a Certificate Store or IIS server. Click here for more details on certificate deployment.