Back

Comodo Domain Control Validation Changes

Author: Valeria van der Poel
0 MIN READ TIME
7/10/2017
Domain Security News
openprovider blog about domains

comodo domain control validation changes

On July 20th 2017, Comodo will be changing the way they perform domain control validation for certificates.

Currently, Comodo offers three mechanisms for DCV:

  • Email – to a contact email on WHOIS, or one of a default list of five addresses @ the domain.
  • HTTP(S) – looking for a text file with specific content at: http(s)://fully.qualified.name/filename.txt
  • DNS CNAME – looking for a CNAME record in the form: randomvalue.fully.qualified.name CNAME randomvalue2.comodoca.com.

These three domain control validation methods of Comodo will still be available after the 20th of July. However, some of the technical details such as the location and contents of the file or the form of the DNS record will be changing.

Email DCV

The email DCV process will remain mostly unchanged. The only significant change is that DCV emails will timeout after 30 days. No API changes are needed.

HTTP(S) DCV

The filename will remain the same – the MD5 hash value of the CSR, in uppercase.

Both the file content and file location are changing.

  • The file content will change – instead of a SHA1 hash value of the CSR on the first line, this is replaced with a SHA-256 hash value of the CSR.
  • The file location will change – instead of looking at the root of the FQDN, we and Comodo will look in a specific path, designed for this purpose:
    http(s)://f
    ully.qualified.name/.well-known/pki-validation/.txt.

Comodo will be checking for the file from the same IP address and with the same User-Agent as they do today.

DNS CNAME

The DNS record will remain a CNAME record.

The record will use the MD5 hash value of the CSR with an underscore character (‘_’) prepended.

The record will use the SHA-256 hash value of the CSR, split into two 32-character entries.

As an example, a new DCV CNAME record could look like:
_c7fbc2039e400c8ef74129ec7db1842c.fully.qualified.name CNAME c9c863405fe7675a3988b97664ea6baf.442019e4e52fa335f406f7c5f26cf14f.comodoca.com.

0 Views
0 Likes

Share this:

More Topics Like This

Preventing future outages: insights from our CTO

Our CTO, Shreerang Gondegaonkar, shares his insights on optimizing security across organizations and building a security-friendly culture.

Read more

A complete guide to setting up and using EasyDMARC

Keep your email protected & boost email deliverability with EasyDMARC. Here is a step-by-step guide that will help you set up EasyDMARC and shield your emails.

Read more

Subscribe to our newsletter

Follow us on

Not a Member yet?

Become a Member today and get access to exclusive deals.

Loading...