The DNS record returned in the API response contains the date and a unique random string derived from the CSR and must be stored in a TXT - record:
- example.com IN TXT k5loo039okyyz1jlrde57ku091h1og39uv6enkzo1v265graqw
The DNS record must always be stored at the main domain, also for sub-domains.
For SAN SSL certificates, the TXT record for DNS based validation must be stated for all respective main domain(s), also for sub-domains.
Important: If your order contains a domain name in the format www.<domain_name>.com, Digicert/Symantec checks for the TXT record on <domain_name>.com and not on www.<domain_name>.com. During authentication, their systems treat both these values as separate entities. After <domain_name>.com is successfully authenticated, Digicert/Symantec can issue you certificates for both <domain_name>.com and www.<domain_name>.com. This handling does not apply to other sub-domains.
Exemplary domains in CSR
These require 4 TXT records at main domain level
- example.com IN TXT <string>
- something.example.com IN TXT <string>
- example.net IN TXT <string>
- anotherthing.example.org IN TXT <string>
The <string> is identical for these domains, it is generated of the CSR and is returned via API.
Additional information about Digicert/Symantec DNS-based authentication
Validates a DNS entry to authenticate the domain. DNS-based authentication is available for enroll (AddCertificate), reissue (ReissueCertificate), renewal (RenewCertificate), and revoke (DeleteCertificate) actions. For enroll, renew, and reissue, DNS-based authentication is only available for DV products. For revoke, DNS-based authentication is available for OV, DV, and EV products.
DNS authentication methods
The DNS entry is a TXT record on the requested domain. You can update an existing TXT record or create a new one. The content of TXT record is generated using a random string. The format of this entry is a random string and returned by our API as property[dnsauth name]. In the case of multiple orders, you can add multiple of such random string entries to the TXT record. Separate each entry with a line break, being careful not to break these random strings.
Example TXT record (new record)
If the domain does not have a DNS TXT record, create one.
auth.scan-test.net. 3600 IN TXT
Example TXT record (update existing record)
If the domain already has a DNS TXT record, update it with the combination for each order you want to verify.
auth.scan-test.net. 3600 IN TXT
"purpose=something mx a:mail.scan-test.net include:servers.scan-test.net ~all
Using DNS-based authentication
- Get the DNS entry and create or update a TXT record on the domain and all SANs with the correct content format. Do this step after you submit your order request.
- Test the TXT record using the UNIX dig <sub-domain> txt command and verify that the entry is correct. The TXT record should contain the respective random string for each order being verified.
- Submit your request with DNS authentication specified.
- Digicert/Symantec polls the domain for the DNS entry up to 30 days after the order was placed.
- Authentication completes when Symantec finds the entry.
Note: If your order contains a domain name in the format www.<domain_name>.com, Digicert/Symantec checks for the TXT record on <domain_name>.com and not on www.<domain_name>.com. During authentication, their systems treat both these values as separate entities. After <domain_name>.com is successfully authenticated, Digicert/Symantec can issue you certificates for both <domain_name>.com and www.<domain_name>.com. This handling does not apply to other sub-domains.
File and DNS authentication polling frequency
After you place an order with FILE or DNS authentication, Symantec polls each domain until the file or DNS entry is found or 30 days have passed. The polling interval is short immediately after the order is placed and gets longer as time passes. For faster order fulfillment, place the file or update the DNS entry as soon as possible after the order is placed.
- Every minute for the first 15 minutes
- Every five minutes for an hour
- Every 15 minutes for 4 hours
- Every hour for a day
- Every 4 hours for 2 weeks
- Every day for up to 30 days