On July 20th 2017, Comodo will be changing the way they perform domain control checks for certificates.
Currently, Comodo offers three mechanisms for DCV:
- Email – to a contact email on WHOIS, or one of a default list of five addresses@ the domain.
- HTTP(S) – looking for a text file with specific content at: http(s)://fully.qualified.
- DNS CNAME – looking for a CNAME record in the form: randomvalue.fully.
qualified.name CNAME randomval ue2.comodoca.com.
These three methods will still be available after the 20th of July, however, some of the technical details such as the location and contents of the file or the form of the DNS record will be changing.
The email DCV process will remain mostly unchanged. The only significant change is that DCV emails will timeout after 30 days. No API changes are needed.
The filename will remain the same – the MD5 hash value of the CSR, in uppercase.
The file content
and file location are all changing.
- The file content will change – instead of a SHA1 hash value of the CSR on the first line, this is replaced with a SHA-256 hash value of the CSR.
- The file location will change – instead of looking at the root of the FQDN, we and Comodo will look in a specific path, designed for this purpose:
name/.well-known/pki- validation/ .txt
Comodo will be checking for the file from the same IP address and with the same User-Agent as they do today.
The record will remain a CNAME record.
The record will use the MD5 hash value of the CSR with an underscore character (‘_’) prepended.
The record will use the SHA-256 hash value of the CSR, split into two 32-character entries.
As an example, a new DCV CNAME record could look like: