Alternative Methods of Domain Control Validation (DCV) Quick Summary CNAME

November 12, 2018

For a detailed article on ALL Alternative Methods of DCV, please visit Alternative Methods of Domain Control Validation Detailed Overview (DCV) .


DNS CNAME based DCV requires the creation of a unique CNAME record, pointed back to Sectigo/Comodo CA. We look for the CNAME at every valid Authorization Domain, i.e. we start with the FQDN and then we will strip one or more labels from left to right in the FQDN and will look for the CNAME on each intermediate domain.

E.g. for a certificate request for an FQDN of *, we would look for the CNAME in these places and in this order: The Authorization Domain Name is the one we find it on.

A CNAME DNS record is created under the Authorization Domain Name. We call the content of the CNAME the Request Token. The content of the Request Token is described in more details below
Two hashes of the CSR are generated before submission to Sectigo/Comodo CA.

The format of the CNAME will be:
1 . ‘_’ <MD5 hash>.Authorization Domain Name CNAME ( ex.
Note: The “_” is always included and the “.” after the “.com” also should be included but depending on the web hosting company it may not be required.
2. <SHA-256 hash>.[<uniqueValue>.]
[Soon to “” instead]

Note: The “.” after the “.com” also should be included but depending on the web hosting company it may not be required.

The presence of this CNAME DNS record is checked, and if found, domain control is proven.
When copy-pasting the hashes make sure there is “NO SPACES” caught.
When creating the DNS CNAME record over at your web-hosting company, there will 3 entries:

  1. The “Hostname” which correlates to the first hash [MD5] “_.HASH_DOMAIN.COM.”
  2. The “Alais to or directed to” which correlates to the second hash [Sha256] “<SHA-256 hash>.[<uniqueValue>.]”
  3. The Time to live [TTL], which you need to leave at the default value set by the web-hosting company.

When ordering a certificate through Comodo’s web-interface The hash values are calculated and presented via the web-interface during the order process. They are on the same screen as the DCV email-address options. Both the MD5 and SHA-256 hash values of the CSR are shown, and must be added to DNS as a CNAME record as the above instructions show before continuing with the order.

Please pay attention to the following….

  • Generate the hashes from the CSR before the order is submitted.
  • The hashes MUST be generated from the DER-encoded (i.e. binary) version of the CSR – not the base64 PEM encoded version. Variations in the PEM encoding can cause differing hash values, whereas the hashes of the DER encoded version will remain constant.
  • The file must be created using the UPPERCASE formatting of the MD5 hash, as most HTTP servers are case-sensitive. The Comodo CA system will only look for the UPPERCASE hash filename.
  • The file must be created with a .txt extension.
  • The SHA-256 hash within the file is case-insensitive.
  • You MUST use a hex (base 16) representation of the hash.

Generating DER based MD5 hash
To create a MD5 hash for your PEM formatted CSR, the following commands should be used:

  • Convert the PEM CSR to DER format with the following OpenSSL command:

openssl req -in csr.pem -out csr.der -outform DER

  • Create the MD5 hash from the DER formatted request (depending on your OS):

md5 request.der
md5sum request.der