Understanding Domain Scope and Validation
Domain Control Validation DCV can be a bit of a hassle, especially when dealing with different rules from various Certificate Authorities (CAs). As IT professionals who routinely buy and install SSL certificates, you’ve probably encountered DCV roadblocks when trying to prove control over a domain. To simplify this process, we’re breaking down how domain scope works for the certificates we offer, the differences between CAs, and how you can take control of the validation process for your orders.
What is Domain Scope?
Domain scope refers to the domain level at which you must prove control when ordering an SSL/TLS certificate. By default, most Certificate Authorities (CAs) expect you to prove control at the “base domain” (e.g., example.com) for any subdomains (e.g., www.example.com or app.example.com). But what happens when you want to prove control at the exact subdomain or need to adjust the scope for specific cases?
Let’s break down how the major CAs we work with, DigiCert and Sectigo, handle domain scope and validation and how you can override the default settings when needed.
Let’s break down how the major CAs we work with, DigiCert and Sectigo, handle domain scope and validation and how you can override the default settings when needed.
Domain Scope Rules for DigiCert and GeoTrust Certificates
The domain scope is straightforward for certificates issued by DigiCert, including its sister brand, GeoTrust. By default, DCV is proven at the base domain. For example, if you're requesting a certificate for store.example.com, you would prove control of example.com, which covers all subdomains like store.example.com or blog.example.com.
However, in some situations, proving DCV at the base domain isn’t desirable or even possible. Let’s say you have multiple subdomains and only need validation for one specific subdomain, or you’re working in a situation where the base domain is managed by someone else, as explained in our "Special Situations" section below.
You can override this setting at the individual certificate order level or account-wide if you need more control.
Overriding Domain Scope at the Individual Certificate Level:
1. While logged in to GeoCerts' Cert Command portal, click Additional Options from the certificate request page (where you paste in your CSR).
2. Under the DCV Scope section, select whether you’d like to validate at the base domain or the exact FQDN.
3. Proceed with the rest of the certificate issuance process.
Overriding Domain Scope at the Account-Wide Level:
1. Log in to your account on the GeoCerts CertCommand portal.
2. Navigate to Account \> Settings (admin privileges required).
3. Under Domain Control Validation, choose whether to validate all certificates at the base domain or the exact FQDN.
4. Save your settings. Future orders will follow this configuration (though it can still be overridden for individual orders and reissues).
However, in some situations, proving DCV at the base domain isn’t desirable or even possible. Let’s say you have multiple subdomains and only need validation for one specific subdomain, or you’re working in a situation where the base domain is managed by someone else, as explained in our "Special Situations" section below.
You can override this setting at the individual certificate order level or account-wide if you need more control.
Overriding Domain Scope at the Individual Certificate Level:
1. While logged in to GeoCerts' Cert Command portal, click Additional Options from the certificate request page (where you paste in your CSR).
2. Under the DCV Scope section, select whether you’d like to validate at the base domain or the exact FQDN.
3. Proceed with the rest of the certificate issuance process.
Overriding Domain Scope at the Account-Wide Level:
1. Log in to your account on the GeoCerts CertCommand portal.
2. Navigate to Account \> Settings (admin privileges required).
3. Under Domain Control Validation, choose whether to validate all certificates at the base domain or the exact FQDN.
4. Save your settings. Future orders will follow this configuration (though it can still be overridden for individual orders and reissues).
Domain Scope Rules for Sectigo and PositiveSSL Certificates
Sectigo, which also issues PositiveSSL certificates, takes a more flexible approach to DCV. Unlike DigiCert, Sectigo allows you to prove DCV at any domain segment. For example, if you're requesting a certificate for app.store.example.com, you can choose to prove control at store.example.com, skipping app.store.example.com. This flexibility can save time when dealing with multi-level subdomains.
Sectigo will check each domain segment for a valid DNS record until it finds the correct one, particularly when you use the DNS CNAME DCV method. This makes the process easier for IT admins with more complex domain structures.
A Caveat with File-Based DCV
Sectigo will check each domain segment for a valid DNS record until it finds the correct one, particularly when you use the DNS CNAME DCV method. This makes the process easier for IT admins with more complex domain structures.
A Caveat with File-Based DCV
One important caveat applies to the File-based DCV method: According to CA/B Forum rules, this method requires you prove control at the longest subdomain (FQDN). In this case, validation at app.store.example.com would be required rather than any shorter domain segment. This applies regardless of which CA you're using.
Special Situations for Mid-Scope DCV
Special Situations for Mid-Scope DCV
There are times when DigiCert will consider the base domain something you don’t control. For example, if you request a certificate for courts.atlanta.ga.gov, DigiCert may treat ga.gov as the base domain, not atlanta.ga.gov. In this case, you might not be able to prove control at ga.gov, making it impossible to validate at the base domain level.
If you're in a similar situation and cannot prove DCV at the exact FQDN, you’ll need to contact us to manually adjust the domain scope to the desired subdomain. We're here to help with these types of issues and ensure you get the certificate you need.
If you're in a similar situation and cannot prove DCV at the exact FQDN, you’ll need to contact us to manually adjust the domain scope to the desired subdomain. We're here to help with these types of issues and ensure you get the certificate you need.
Conclusion
Navigating domain scope and DCV rules can be tricky, but understanding how each CA handles these requirements can save you time and frustration. At GeoCerts, we offer SSL/TLS certificates from four major brands: DigiCert, GeoTrust, Sectigo, and PositiveSSL. DigiCert and GeoTrust fall under DigiCert’s rules, while Sectigo and PositiveSSL follow Sectigo's more flexible approach to validation.
If you're ever unsure about domain scope or if you’re having trouble proving control of a domain, contact us. We’re here to help and can adjust the domain scope for your certificate request to ensure it aligns with your needs.
If you're ever unsure about domain scope or if you’re having trouble proving control of a domain, contact us. We’re here to help and can adjust the domain scope for your certificate request to ensure it aligns with your needs.