Comodo Domain Control Validation Changes
0 min read
On July 20th 2017, Comodo will be changing the way they perform domain control validation for certificates.
Currently, Comodo offers three mechanisms for DCV:
- Email – to a contact email on WHOIS, or one of a default list of five addresses @ the domain.
- HTTP(S) – looking for a text file with specific content at: http(s)://fully.qualified.
name/filename.txt - DNS CNAME – looking for a CNAME record in the form: randomvalue.fully.
qualified.name CNAME randomval ue2.comodoca.com.
These three domain control validation methods of Comodo will still be available after the 20th of July. However, some of the technical details such as the location and contents of the file or the form of the DNS record will be changing.
Email DCV
The email DCV process will remain mostly unchanged. The only significant change is that DCV emails will timeout after 30 days. No API changes are needed.
HTTP(S) DCV
The filename will remain the same – the MD5 hash value of the CSR, in uppercase.
Both the file content and file location are changing.
- The file content will change – instead of a SHA1 hash value of the CSR on the first line, this is replaced with a SHA-256 hash value of the CSR.
- The file location will change – instead of looking at the root of the FQDN, we and Comodo will look in a specific path, designed for this purpose:
http(s)://f
ully.qualified.name/.well-known/pki- validation/.txt.
Comodo will be checking for the file from the same IP address and with the same User-Agent as they do today.
DNS CNAME
The DNS record will remain a CNAME record.
The record will use the MD5 hash value of the CSR with an underscore character (‘_’) prepended.
The record will use the SHA-256 hash value of the CSR, split into two 32-character entries.
As an example, a new DCV CNAME record could look like:
_c7fbc2039e400c8ef74129ec7db18
Subscribe to our newsletter
What are you waiting for?
Create an account today - it’s fast and free