For a detailed article on ALL Alternative Methods of DCV, please visit Alternative Methods of Domain Control Validation Detailed Overview (DCV) .
DNS CNAME Based DCV
DNS CNAME based DCV requires the creation of a unique CNAME record, pointed back to Sectigo/Comodo CA. We look for the CNAME at every valid Authorization Domain, i.e. we start with the FQDN and then we will strip one or more labels from left to right in the FQDN and will look for the CNAME on each intermediate domain.
E.g. for a certificate request for an FQDN of *.mail.internal.example.com, we would look for the CNAME in these places and in this order: mail.internal.example.com internal.example.com example.com The Authorization Domain Name is the one we find it on.
A CNAME DNS record is created under the Authorization Domain Name. We call the content of the CNAME the Request Token. The content of the Request Token is described in more details below
Two hashes of the CSR are generated before submission to Sectigo/Comodo CA.
The format of the CNAME will be:
1 . ‘_’ <MD5 hash>.Authorization Domain Name CNAME ( ex.
_CC5412BF14B25A69F0D3A571C2426767.example.com.
Note: The “_” is always included and the “.” after the “.com” also should be included but depending on the web hosting company it may not be required.
2. <SHA-256 hash>.[<uniqueValue>.]comodoca.com
72B21EEE5B37D7913084.61F4BB041A1845F87DC8.comodoca.com.
Or
72B21EEE5B37D791308461F4BB041A1845F87DC8.comodoca.com.
[Soon to “sectigo.com” instead]
Note: The “.” after the “.com” also should be included but depending on the web hosting company it may not be required.
The presence of this CNAME DNS record is checked, and if found, domain control is proven.
When copy-pasting the hashes make sure there is “NO SPACES” caught.
When creating the DNS CNAME record over at your web-hosting company, there will 3 entries:
When ordering a certificate through Comodo’s web-interface The hash values are calculated and presented via the web-interface during the order process. They are on the same screen as the DCV email-address options. Both the MD5 and SHA-256 hash values of the CSR are shown, and must be added to DNS as a CNAME record as the above instructions show before continuing with the order.
Please pay attention to the following….
****IF YOU WANT TO GENERATE THE HASHES ON YOUR OWN****
Generating DER based MD5 hash
To create a MD5 hash for your PEM formatted CSR, the following commands should be used:
openssl req -in csr.pem -out csr.der -outform DER
md5 request.der
md5sum request.der