Knowledge Base

Knowledge BaseDomain Control Validation (DCV)

How do I complete domain validation using http/http(s) method?

Updated on June 1, 2026

Overview

This article shows how to prove control of a domain by serving a small text file over HTTP or HTTPS. After checking the Prerequisites, you work through the numbered Steps to locate the hash values, build the validation file, place it under /.well-known/pki-validation/, and trigger Verification from Sectigo's Validation Manager. The method also works for IP-address certificates but not for wildcard names.

Prerequisites

Each hostname on the certificate runs a web service on port 80 or 443.

The service is reachable from any geographic location with no IP-based or geo restrictions.

You have the MD5 and SHA-256 hash values of the Certificate Signing Request (CSR), shown in the Sectigo interface during DCV setup, and, optionally, the unique value supplied by Sectigo.

You have access to the Sectigo Validation Manager (linked in the order confirmation email if the certificate was ordered through a partner).

Note: IP-address DCV can be completed only with the HTTP/HTTPS CSR hash method. This method cannot validate certificates that include wildcard name

Steps

Step 1 — Locate the hash values

If the certificate was ordered from sectigo.com, the MD5 and SHA-256 hashes appear in the Sectigo web interface after setup is complete. If it was ordered through a partner, open the Validation Manager link from the order confirmation email, click Check Status, then Show alternative DCV information, and select the HTTP CSR Hash tab.

Figure 1: Check Status in Sectigo web interface

Figure 1: Check Status in Sectigo web interface

Figure 2: Choose Alternative DCV method in Sectigo web interface

Figure 2: Choose Alternative DCV method in Sectigo web interface

Figure 3: Click on Show alternative DCV to find Hash Values

Figure 4: Click on HHTP CSR hash to find HTTP text values

Step 2 — Create the validation file

Create a plain text file named with the MD5 hash and a .txt extension. The file must contain three lines:
- Line 1: the SHA-256 hash of the CSR
- Line 2: sectigo.com
- Line 3: the unique value supplied by Sectigo, if one was issued
Example file name: C7FBC2039E400C8EF74129EC7DB1842C.txt
Step 3 — Upload the file

Upload the file to the /.well-known/pki-validation/ directory of the web server that responds for the domain, so it is reachable at a URL of the form:

http://www.example.com/.well-known/pki-validation/<MD5>.txt

If you want both the apex domain and the www subdomain included in the certificate, place the validation text file at both domain.com and www.domain.com — i.e., it must be reachable at http://domain.com/.well-known/pki-validation/<MD5>.txt and http://www.domain.com/.well-known/pki-validation/<MD5>.txt.

Each hostname listed on the certificate is validated independently, so the file must be served from every name you want covered.

Serve the file as Content-Type: text/plain.

Do not redirect to HTTPS in a way that breaks the path; the CA follows redirects, but the final response must return the file.

Step 4 — Trigger Check Status

In the Validation Manager, open the order, click Check Status, then Show alternative DCV information, and select the HTTP CSR Hash tab. Sectigo retrieves the file and updates the validation state.

Verification
- Open the file Uniform Resource Locator (URL) in a browser and confirm the three lines are returned exactly as written.
- If the file is visible in the browser but Sectigo still reports a failure, check for trailing whitespace, byte-order marks, the wrong MD5 case, or a Content Delivery Network (CDN) that serves a cached 404.
- Re-run Check Status after each fix; no reissue is required.
Similar questions
- Where do I create the HTTP/HTTPS text file?
- How do I find the HTTP hash text values?
- How do I verify that the text file is published?
- The HTTP file is visible in a browser but validation still fails — what next?
- What values do I put in the text file for the HTTP DV method?