Internal - Certs for Public IP Addresses

July 17, 2018

If the customer has a firewall, they can whitelist us so they can before HTTP or HTTPS for DCV on a IP address if we cant use the whois lookup:

e-mail is being sent from [email protected]om
DCV IP Addresses: = =


yes, manual validation for certificates for IP addresses (i.e. with CN or SAN including IP address) - was introduced on May 13 2017 by rework # 5 to WCR 16092602 , details below. It will work for all customers
b) in addition to manual validation - HTTP/HTTPS CSR HASH method will work as well, for all customers

I.e. for all customers (CCM and non-CCM) - for all such orders- domain name can be validated either manually or vie HTTP/HTTPS CSR hash and if such validation happened it will sufficient and we will no longer require IP range validation.

In addition to this, for CCM customers only, we will accept also additional validation method - through IP address range. This is optional , and if CCM order was validated manually or via alt-DCV methods as I mentioned in (a) and (b) above -validation via IP range wil not be required. But - in absence of manual DCV - validation via IP range will be also acceptable (again - only for CCM customers)

So certificate for public IP address can be validated either by
- HTTP/S CSR hash or manual validation , for all customers
- or, for CCM accounts only, through validation of IP range (whereas such validation is not mandatory in case domain was already validated manually)

Now to your remarks

It is giving validation the option to validate all the domains under the domain name validation details (validate all domains).

I thought that the procedure changed to adding in these addresses under the web host details.
This ability originally existed only via API. Our May release (rework # 3 to WCR 16092602) also allowed validators to manually add such ranges (ability to validate such ranges was there earlier)

However, even though the IP address is added to the authorized range under webhost it is not validating it under the domain name validation details.
This is correct behavior. Validating the range - marks the range as validated but will not affect DCV status of a single IP address. If range was validated and an IP by itself wasn't DCV'd - then this IP will appear as not validated in "domain name validation details" section . Yet, for CCM customers - such certificate can be issued since the range is validated

1. Validators will now be able to add IP address/IP address range by themselves, through OMS. see attached screenshots 'OMS IP management' and 'Add IP Range' . Just to add that validators always have been able to validate range through OMS but now they will also be able to mark IP address range as "valid" while adding it.

2. Validation through IP address ranges will only be available for CCM accounts.

3. For all accounts - we now allow manual validation of single IP address in OMS the specific order/certificate ,in a same way we manually validate domain names for OV and EV (see screenshot).Adding authorized IP to WHR account will no longer be an only way to validate such certificates

4. We Implemented automatic validation of single IP addresses. Available methods; HTTP(& HTTPS) CSR Hash (again, it will work in a same manner as it works for public domain names).

IP Address Based DCV

IP Address based DCV requires that a DNS lookup for A records for the FQDN resolves to an IP address over which the applicant has control.

Comodo will obtain documentation of IP address assignment from the Internet Assigned Numbers Authority (IANA) or a Regional Internet Registry (RIPE, APNIC, ARIN, AfriNIC, LACNIC).

Comodo records the IP ranges over which the applicant has control and initially validates as a manual process that the documentation available confirms that the applicant actually has control of those ranges. The relevant range(s) of IP address must have been validated and recorded against the applicant’s account BEFORE the certificates which are to rely on this DCV method are requested.

When the AutoApplySSL call is made, an additional parameter must be specified to indicate use of IP address based DCV. This parameter is called ‘dcvMethod’ and must be set to the UPPERCASE value ‘IP_ADDRESS_PRE’.