SSL Server

Guide to domain validation

Guide to domain validation

This page only applies to SSL Server certificates.
 
As part of the SSL Server certificates' issuance procedure, it is mandatory that the Applicant proves to the CA to have full control of all the domains (FDQN) to be included in the requested certificate. This verification (Domain Control Validation or DCV) may only be done with methods approved by the CAB Forum. Except for special cases, the DCV process also requires actions by the Applicant.
 
Actalis currently supports the DCV methods described in the following table:
 
DCV method Description
email-admin The CA sends an email to the administrator of the domain to be validated (or of a higher level domain), to one of the standard privileged mailboxes, namely: postmaster, webmaster, hostmaster, administrator, admin@domain. The email contains a unique link that the recipient is required to click, then following the instructions shown by the browser. The CA waits for the recipient to read the email and proceed in the expected manner, to prove that the Applicant has control of the domain.
email-contact Similar to the previous method, but the email is sent to a mailbox found in the domain's WHOIS record. Also in this case, the CA waits for the recipient to read the email, click on the link therein, and follow the instructions shown by the browser. This method assumes that at least one email address is found in the output of the whois <domain>  command. If the email address can only be seen via different query modes (e.g. via the domain registrar's web site), then this method requires the manual intervention of a CA operator, delaying the validation process. This method is supported, but not recommended.
website-change To prove its control of the domain, the Applicant must publish a plain text (.txt) file on the domain's (or a higher level domain's) HTTP server. The file must contain a unique confirmation value generated by the CA (*), without spaces or newlines, and must be published at the following URL:
 
http(s)://dominio/.well-known/pki-validation/actalis.txt

The CA will automatically check that the said file is found on the server, in the expected path and with the expected contents. To create the text file actalis.txt we recommend to use a plain text editor (e.g. Notepad under Windows).

Please take note that:
  • no other path may be used (it is a standard)
  • the period "." before "well" is not a typo: it is required
  • HTTP redirects are not followed by the CA
dns-change To prove its control of the domain, the Applicant must publish a suitable TXT record on the domain's (or a higher level domain's) DNS server. The TXT record must have the following value:
 
actalis-dcv=confirmationValue”
 
…where confirmationValue is a unique confirmation value generated by the CA (*). The CA will automatically check that the expected TXT record is present on the domain, with the expected value. To verify the proper publication of the TXT record, you can use the nslookup command (under Windows) or the dig command (under Linux).
query-aruba This method may only be used for domains registered and managed by Aruba. In such a case, no actions are required of the Applicant to prove control of the domain.
The CA itself will verify the database of domains managed by Aruba S.p.A. In this case, validation may take several hours, depending on the availability of operators.
(*) This value is communicated to the Technical Contact by the Actalis customer care team (in case of certificate requests via email) or it is displayed to the Applicant (in case of web-based certificate requests).
 
Important notes:
 
  • Domain validations must complete within 30 days, after which they are regarded as failed.
  • After successful domain validation, the domain remains valid for 12 months; during this period the Applicant can obtain one or more certificates containing that domain without the need for further validations; at the end of the 12 months from the last validation, to obtain further certificates containing that domain it is necessary to pass a new validation.
 
Warning: the range of supported methods for domain validation may change as a consequence of regulatory changes (e.g. updates to CAB Forum's Baseline Requirements) and/or in the event that some methods are proven to be vulnerable to security attacks.
  • Maximum certificate lifespan from September 1, 2020
    A major browser vendor recently announced that as of Sept. 1, 2020 it will no longer consider as valid and secure SSL certificates issued after this date with validity of more than 398 days (equal to one year + 1 month).
    For this reason, from August 3, 2020, SSL certificates issued by Actalis will have a maximum validity of one year, net of the notice period for renewal.
    Until August 3, 2020, however, SSL certificates with 24 months validity can still be purchased and activated as those activated before this date will still be considered valid until their expiry.
  • EIDAS certificates for PSD2
    The entry into force of the second European Payment Services Directive (PSD2) has triggered a revo­lution in the world of online payments. By mid-September 2019, the transactions between EU banks and third-party payment service providers (TPPs) must be secured by qualified certificates complying with the eIDAS regulation: qualified certificates for websites (QWAC) and/or qualified certificates for electronic seal (QSEalC) containing certain PSD2-related information about the Subject. If you need these certificates, please write to info@actalis.it