Comodo Domain Control Validation Changes

0 min read
openprovider blog about domains

comodo domain control validation changes

On July 20th 2017, Comodo will be changing the way they perform domain control validation for certificates.

Currently, Comodo offers three mechanisms for DCV:

  • Email – to a contact email on WHOIS, or one of a default list of five addresses @ the domain.
  • HTTP(S) – looking for a text file with specific content at: http(s)://fully.qualified.name/filename.txt
  • DNS CNAME – looking for a CNAME record in the form: randomvalue.fully.qualified.name CNAME randomvalue2.comodoca.com.

These three domain control validation methods of Comodo will still be available after the 20th of July. However, some of the technical details such as the location and contents of the file or the form of the DNS record will be changing.

Email DCV

The email DCV process will remain mostly unchanged. The only significant change is that DCV emails will timeout after 30 days. No API changes are needed.

HTTP(S) DCV

The filename will remain the same – the MD5 hash value of the CSR, in uppercase.

Both the file content and file location are changing.

  • The file content will change – instead of a SHA1 hash value of the CSR on the first line, this is replaced with a SHA-256 hash value of the CSR.
  • The file location will change – instead of looking at the root of the FQDN, we and Comodo will look in a specific path, designed for this purpose:
    http(s)://f
    ully.qualified.name/.well-known/pki-validation/.txt.

Comodo will be checking for the file from the same IP address and with the same User-Agent as they do today.

DNS CNAME

The DNS record will remain a CNAME record.

The record will use the MD5 hash value of the CSR with an underscore character (‘_’) prepended.

The record will use the SHA-256 hash value of the CSR, split into two 32-character entries.

As an example, a new DCV CNAME record could look like:
_c7fbc2039e400c8ef74129ec7db1842c.fully.qualified.name CNAME c9c863405fe7675a3988b97664ea6baf.442019e4e52fa335f406f7c5f26cf14f.comodoca.com.

Subscribe to our newsletter

Looking for the best Domain Reseller Program?

OpenProvider offers you the best prices in the market and more. Register your .com domains for only $8.57 now!