GeoCerts Blog

  1. Blog
  2. Understanding Domain Scope and Validation: Simplifying SSL/TLS for IT Professionals

Understanding Domain Scope and Validation: Simplifying SSL/TLS for IT Professionals

Scott Rogers Introduction-To

Domain Control Validation ([DCV](https://www.geocerts.com/support/what-is-domain-control-validation-dcv)) can be a bit of a hassle, especially when dealing with different rules from various Certificate Authorities (CAs). As IT professionals who routinely buy and install SSL certificates, you’ve probably encountered DCV roadblocks when trying to prove control over a domain. To simplify this process, we’re breaking down how domain scope works for the certificates we offer, the differences between CAs, and how you can take control of the validation process for your orders.

What is Domain Scope?


Domain scope refers to the domain level at which you must prove control when ordering an SSL/TLS certificate. By default, most Certificate Authorities (CAs) expect you to prove control at the “base domain” (e.g., example.com) for any subdomains (e.g., [www.example.com](http://www.example.com) or app.example.com). But what happens when you want to prove control at the exact subdomain or need to adjust the scope for specific cases?

Let’s break down how the major CAs we work with, DigiCert and Sectigo, handle domain scope and validation and how you can override the default settings when needed.

Domain Scope Rules for DigiCert and GeoTrust Certificates


The domain scope is straightforward for certificates issued by [DigiCert](https://www.geocerts.com/digicert) (including its sister brand, [GeoTrust](https://www.geocerts.com/geotrust)). By default, DCV is proven at the base domain. For example, if you're requesting a certificate for **store.example.com**, you would prove control of **example.com**, which covers all subdomains like **store.example.com** or **blog.example.com**.

However, in some situations, proving DCV at the base domain isn’t desirable or even possible. Let’s say you have multiple subdomains and only need validation for one specific subdomain, or you’re working in a situation where the base domain is managed by someone else, as explained in our "Special Situations" section below.

If you need more control, you can override this setting either at the individual certificate order level or account-wide.

Overriding Domain Scope at the Individual Certificate Level:

1. While logged in to GeoCerts' Cert [Command portal](https://www.geocerts.com/certcommand/users/sign_in), click **Additional Options** from the certificate request page (where you paste in your CSR). 
2. Under the **DCV Scope** section, select whether you’d like to validate at the base domain or the exact FQDN. 
3. Proceed with the rest of the certificate issuance process.

Overriding Domain Scope at the Account-Wide Level:

1. Log in to your account on the GeoCerts [CertCommand portal](https://www.geocerts.com/certcommand/users/sign_in).  
2. Navigate to **Account \> Settings** (admin privileges required).  
3. Under **Domain Control Validation**, choose whether to validate all certificates at the base domain or the exact FQDN.  
4. Save your settings. Future orders will follow this configuration (though it can still be overridden for individual orders and reissues).

Domain Scope Rules for Sectigo and PositiveSSL Certificates


Sectigo, which also issues [PositiveSSL certificates](https://www.geocerts.com/positivessl), takes a more flexible approach to DCV. Unlike DigiCert, Sectigo allows you to prove DCV at **any domain segment**. For example, if you're requesting a certificate for **app.store.example.com**, you can choose to prove control at **store.example.com**, skipping **app.store.example.com**. This flexibility can save time when dealing with multi-level subdomains.

Sectigo will check each domain segment for a valid DNS record until it finds the correct one, particularly when you use the DNS CNAME DCV method. This makes the process easier for IT admins with more complex domain structures.

A Caveat with File-Based DCV


One important caveat applies to the [**File-based DCV method**](https://www.geocerts.com/support/domain-control-validation-by-http-file-method): According to [CA/B Forum](https://cabforum.org/) rules, this method requires you **to** prove control at the longest subdomain (FQDN). In this case, validation at **app.store.example.com** would be required rather than any shorter domain segment. This applies regardless of which CA you're using.

Special Situations for Mid-Scope DCV


There are times when DigiCert will consider the base domain something you don’t control. For example, if you request a certificate for **courts.atlanta.ga.gov**, DigiCert may treat **ga.gov** as the base domain, not **atlanta.ga.gov**. In this case, you might not be able to prove control at **ga.gov**, making it impossible to validate at the base domain level.

If you're in a similar situation and cannot prove DCV at the exact FQDN, you’ll need to [contact us](https://www.geocerts.com/contact) to manually adjust the domain scope to the desired subdomain. We're here to help with these types of issues and ensure you get the certificate you need.

Conclusion


Navigating domain scope and DCV rules can be tricky, but understanding how each CA handles these requirements can save you time and frustration. At GeoCerts, we offer SSL/TLS certificates from four major brands: DigiCert, GeoTrust, Sectigo, and PositiveSSL. DigiCert and GeoTrust fall under DigiCert’s rules, while Sectigo and PositiveSSL follow Sectigo's more flexible approach to validation.

If you're ever unsure about domain scope or if you’re having trouble proving control of a domain, [contact us](https://www.geocerts.com/contact). We’re here to help and can adjust the domain scope for your certificate request to ensure it aligns with your needs.