Domain control validation flow
To obtain Universal, Advanced, and Custom hostname certificates, Cloudflare partners with different publicly trusted certificate authorities (CAs).
However, every time a CA is requested to issue or renew a certificate, the requester must prove that they have control over the domain. That is when the DCV process takes place, with the proof usually consisting of placing an HTTP token at a standard URL path (/.well-known/pki-validation
), or placing a TXT record at the authoritative DNS provider.
For the use cases mentioned above, there are three different parties involved in the process:
- The website or application for which the certificate is issued.
- The requester (Cloudflare).
- The CA that processes the request.
In summary, five steps have to succeed after Cloudflare requests a CA to issue or renew a certificate:
- Cloudflare receives the DCV tokens from the CA.
- Cloudflare either places the tokens on your behalf (Full DNS setup, Delegated DCV), or makes the tokens available for you to place them.
- Cloudflare polls the validation URLs to check for the tokens.
- After Cloudflare can confirm that the tokens are placed via multiple DNS resolvers, the CA is asked to check as well.
- If the CA can confirm the tokens are placed, the certificate gets issued. If the CA cannot confirm the tokens are placed, the certificate is not issued and the tokens are no longer valid.
- Settings that interfere with the validation URLs - firewall blocks or misconfigured DNSSEC, for example - can cause issues with your certificate issuance or renewal. Refer to the troubleshooting guide.
-
When your certificate is in
pending_validation
and valid tokens are in place, some security features targeting your zone’s path for/.well-known/*
can be automatically bypassed. - Certificate authority authorization (CAA) records may block certificate issuance. Refer to CAA records.
DCV tokens are generated and controlled by the CA and not by Cloudflare. You can find further technical specification of how they work in RFC 8555 ↗.
-
As mentioned in Step 5, DCV tokens will change upon verification failures. For example, if a DCV check fails because of a DNSSEC issue, the certificate order is no longer valid and Cloudflare must start a new certificate request. Since tokens cannot be reused, a new token is required.
-
DCV tokens also have validity periods. If you are handling the DCV process manually, it is recommended that you place the tokens as soon as the certificate is up for renewal. Otherwise, the tokens may expire and new tokens will be required.