FAQs
How to complete DCV using the CNAME method
Overview
By the end of this article, you will be able to publish the correct Canonical Name (CNAME) record for Domain Control Validation (DCV) and confirm it has propagated. The article shows where to find your Certificate Signing Request (CSR) hash values in the Sectigo portal, the exact CNAME record format (hostname, type, value), an example record, and the online tools used to verify Domain Name System (DNS) propagation.
When to use CNAME-based DCV
CNAME-based DCV requires a unique CNAME record that points back to Sectigo. The record must be created on the public DNS server of the domain. Sectigo queries every possible level of the Fully Qualified Domain Name (FQDN) to validate ownership.
Find your CSR hash values
Hash values are derived from your CSR and shown after you complete Setup:
-
If you ordered from sectigo.com, the hash values appear in the Sectigo web interface after Setup. Click Check Status next to the order to open the validation page.
-
If you ordered through a Sectigo partner, open the Validation Manager link in your order confirmation email.
-
On the validation page, click Show Alternative DCV Information to reveal the CSR hashes, the formatted CNAME record, and the HTTP text-file value. Click the CNAME CSR Hash tab to see the exact record to publish on DNS.
CNAME record format
Build the CNAME record using three fields. The hostname uses the Message Digest 5 (MD5) hash of the CSR; the value uses the Secure Hash Algorithm 256-bit (SHA-256) hash split into two halves, plus an optional unique value when a key is reused.
-
Hostname: _MD5-HASH-OF-CSR.yourdomain.tld.
-
Type: CNAME
-
Value: SHA256-Hash-First-32.SHA256-Hash-Last-32.[UNIQUE-VALUE].sectigo.com.
Note: The [UNIQUE-VALUE] portion is generated only when a key is reused across orders or reissues. Use the value Sectigo displays exactly — do not modify case or add characters. TLD stands for Top-Level Domain (for example, .com).
Figure 1: Check Status in Sectigo Web interface
Figure 2: Click on “CHECK STATUS” button to redirect to a new webpage
where you can find the Values for Domain Control Validation.
Figure 3: Click on “Show Alternative DCV information” to find the CSR Hash and
formatted CNAME record, HTTP text file values
Click on CNAME CSR HASH tab to see the CNAME record values to be created on DNS Server.
Figure 4: Click on CNAME CSR HASH tab to see the CNAME record values to be created on DNS Server.
Example CNAME record
-
Name: _c7fbc2039e400c8ef74129ec7db1842c.example.com.
-
Type: CNAME
-
Value: c9c863405fe7675a3988b97664ea6baf.442019e4e52fa335f406f7c5f26cf14f.sectigo.com.
Figure 5: Adding CNAME record in DNS
Figure 6: Propagated CNAME record in DNS
Verify DNS propagation
After you publish the CNAME, wait a few minutes and confirm it resolves correctly using any public DNS lookup tool. Sectigo only validates after the record is visible to external resolvers.
-
Google Admin Toolbox Dig: https://toolbox.googleapps.com/apps/dig/#CNAME/
-
whatsmydns.net: https://www.whatsmydns.net/
The returned value must match the Sectigo-provided value exactly. Once propagation is confirmed, Sectigo's automated check completes DCV and the certificate is issued.
Figure 7: Checking using whatsmydns.net
Figure 8: Checking using google admin toolbox
Similar questions
-
Where should a CNAME record be added for DCV?
-
How do I find the CNAME record values for my order?
-
How do I verify that the CNAME record has propagated?
-
Where do I create the CNAME record?
Need assistance?
Contact our team for help with your purchase or issuing your certificate.
Live chat
Click the button below or click "Chat with an Expert" to start chatting with us now!
