Domain Control Validation by HTTP File-based Token Method

The DCV HTTP File-based Token Method allows you to demonstrate control over your domain by hosting a .txt file containing a generated random string token at a predetermined location on your website. Once the file is created and placed on your site, the issuing CA visits the specified URL to confirm the presence of the verification token.

Note: as of Dec 1, 2021, there are new rules that govern the use of the HTTP File-based Token DCV Method. This method can no longer be used for any wildcard domains (e.g., *.example.com). Additionally, you must make the token string available for each FQDN separately (e.g, www.example.com and mail.example.com).

How to set up DCV by HTTP/S File-based Token method

  1. Locate the pending order in your GeoCerts CertCommand account. Click on a domain in the 'You Need To... > Prove Control Over Domains" section.

  2. From the DCV Method dropdown choose HTTP/S File-based Token and copy the File Content token string. Note: The token value expires after thirty days.
     


    * DigiCert and GeoTrust SSL orders will have a filename of fileauth.txt whereas SSL orders for Sectigo and PositiveSSL CAs will have a filename similar in format to 6C25483595D7C679E95088CF316F56801ADE6990A8B93B660F8CB.txt.
    Additionally, the File Content for Sectigo and PositiveSSL SSL orders will contain 2 or 3 lines of text, similar in format to the following.
    6C25483595004C8B5FBED7C679E95089A8B39E5E6384C9A9C49890EB00A887B9
    sectigo.com
    b6gnGbHI
  3. Create a public directory on your server: /.well-known/pki-validation

    Note the leading dot in .well-known
    For Windows-based servers, the .well-known folder must be created via command line
    (mkdir .well-known).
  4. Add your [filename].txt to the new directory so that you end up with the following public URLs for each FQDN requested.

    http(s)://example.com/.well-known/pki-validation/[filename].txt
  5. Test the URL in a browser using HTTP/S** to verify that it's responding properly. Your browser should display the File Contents from step 2 above. The token value must be publicly accessible and cannot be behind a firewall. Multiple redirects will prevent DCV approval and only ports 80 and 443 will be accepted.

    ** DigiCert and GeoTrust SSL orders can use HTTP or HTTPS whereas Sectito and PositiveSSL orders are specifically set to check DCV at either HTTP or HTTPS, but not both.
    undefined

  6. Check DCV approval. 

    Once you're sure that your new HTTP File Token is set up correctly, go back to step 2 and click the CHECK button. 



    When the correct HTTP File Token is located, that domain will be checked-off and approved. Repeat for all domains on the certificate order.

Scans of your HTTP File Token will begin immediately after you enroll for an SSL certificate, and automatic re-checks will be made periodically until the correct response is found. You can also force re-checks using step 2 above. 

Choosing and changing the DCV method

You choose the initial DCV method when placing an SSL/TLS order. You can change the current DCV method - for example, from Email Verification to DNS CNAME - at any time by clicking the button for any domain on the order that is not approved.  

Additional Resources