Client Area Sign In

Openprovider Support

Contact our support department using the form on this page. For more information about the availability of our support team, please visit our Knowledge Base. Here, you can also find answers to many questions.




Comodo Domain Control Validation Changes

On July 20th 2017, Comodo will be changing the way they perform domain control checks for certificates.

Currently, Comodo offers three mechanisms for DCV:

  • Email – to a contact email on WHOIS, or one of a default list of five addresses@ the domain.
  • HTTP(S) – looking for a text file with specific content at: http(s)://fully.qualified.name/filename.txt
  • DNS CNAME – looking for a CNAME record in the form: randomvalue.fully.qualified.name CNAME randomvalue2.comodoca.com.

These three methods will still be available after the 20th of July, however, some of the technical details such as the location and contents of the file or the form of the DNS record will be changing.

Email

 

 

The email DCV process will remain mostly unchanged. The only significant change is that DCV emails will timeout after 30 days. No API changes are needed.

HTTP(S)

The filename will remain the same – the MD5 hash value of the CSR, in uppercase.

The file content

 

and file location are all changing.

  • The file content will change – instead of a SHA1 hash value of the CSR on the first line, this is replaced with a SHA-256 hash value of the CSR.
  • The file location will change – instead of looking at the root of the FQDN, we and Comodo will look in a specific path, designed for this purpose:
    http(s)://f
    ully.qualified.name/.well-known/pki-validation/<filename>.txt

Comodo will be checking for the file from the same IP address and with the same User-Agent as they do today.

DNS CNAME

The record will remain a CNAME record.

The record will use the MD5 hash value of the CSR with an underscore character (‘_’) prepended.

The record will use the SHA-256 hash value of the CSR, split into two 32-character entries.

As an example, a new DCV CNAME record could look like:
_c7fbc2039e400c8ef74129ec7db1842c.fully.qualified.name CNAME c9c863405fe7675a3988b97664ea6baf.442019e4e52fa335f406f7c5f26cf14f.comodoca.com.

You must be logged in to post a comment.
Menu