DCV policy

All certificate types (single, wildcard, multi-domain) can be validated with any of the available DCV mechanisms. Multi-domain certificates (MDC/UCC) can use different mechanisms for each FQDN in the request.

Reissuing

Reissues of the certificates require revalidation. The reissue does not require revalidation of already-validated FQDNs if the same private key is used to generate the CSR for reissue. If a new private key is used to generate the CSR, then the order must have DCV reperformed by one of the available methods for all FQDNs in the request before the certificate can be issued. This will also apply to reissues that facilitate the addition or removal of domains for multi-domain certificates.

Due to the requirements introduced by CA/Browser Forum Ballot SC45, revalidation of already validated FQDNs is required when a certificate is reissued using the same private key and the FQDNs were previously validated using HTTP-based DCV completed before November 22, 2021.

Resending DCV emails

DCV emails can be resent from the web interface or via the ResendDCVEmail API.

For single-certificate orders, this resends the DCV email. For multi-domain certificate orders, it resends DCV emails for all outstanding FQDNs.

If a non-email DCV method has been selected for a domain, the ResendDCVEmail API can be used to reset the frequency at which practical control is tested.

For more information, see DCV methods.

www. subdomains

We no longer consider proof of control of www.DOMAIN as also proving control of DOMAIN. Previously, for HTTP-based DCV (for example, HTTP_CSR_HASH), validation of www.example.com was also accepted as validation for example.com when both FQDNs were included in the certificate request.

Except for HTTP-based DCV methods, validating example.com remains sufficient for certificates containing both example.com and www.example.com. For HTTP-based DCV, each FQDN must be validated separately.

Multi-domain certificates

Multi-domain certificates (MDCs, UCCs) require DCV for every FQDN included in the order. Any supported DCV method can be used. After you place the order, DCV can be completed in the web interface:

  1. Log in to your account and locate the order.

  2. For each FQDN, select a valid approval email address, or choose an alternative DCV method.

For each FQDN, you can also choose HTTP, HTTPS, or DNS CNAME validation.

If some FQDNs cannot be validated, you can remove them from the request and issue the certificate with only the validated domain names.

Starting June 15, 2025, WHOIS-based email addresses can no longer be used for domain validation, and previously completed validations using WHOIS email addresses cannot be reused.

Continued use of email-based DCV methods is discouraged. In line with CA/B Forum Ballot SC-090, all email-based DCV methods are on a deprecation path, with full industry deprecation expected by early 2028.

Plan to migrate to DNS-based or HTTP-based validation methods.

Multi-domain certificate API details

Ordering and DCV email address parameters

Multi-domain orders use dcvEmailAddresses (plural) instead of the single-domain dcvEmailAddress parameter.

dcvEmailAddresses accepts a list of values with the following rules:

  • There must be one value per FQDN in domainNames.

  • Values must be in the same order as domainNames.

Unlike single-domain API orders, multi-domain orders are not rejected if an email address is invalid. The order is accepted, but the DCV email is not sent. You can then edit the address in the web interface.

Use only valid DCV email addresses for each domainName. Valid addresses can be obtained using one of the following:

  • One of the default five approval addresses (see DCV methods).

  • The GetDCVEmailAddressList API for the domain.

Our system attempts to send as few emails as possible. If multiple FQDNs exist within the same registered domain name, a single DCV email will be sent.

Using HTTP and DNS methods via the API

For each entry in domainNames, provide one corresponding value in dcvEmailAddresses (in the same order). Use either a valid DCV approval email address, or one of the following values:

  • HTTPCSRHASH (HTTP DCV)

  • HTTPSCSRHASH (HTTPS DCV)

  • CNAMECSRHASH (DNS CNAME DCV)

  • DNSTXTRNDVAL (DNS TXT DCV)

If you want to validate all domains using the same alternative method, you can pass a single value in dcvEmailAddresses.

The possible values are:

  • ALLHTTPCSRHASH

  • ALLHTTPSCSRHASH

  • ALLCNAMECSRHASH

  • ALLDNSTXTRNDVAL

In this case, the selected value must be the only value provided for dcvEmailAddresses, and the system will attempt to validate all FQDNs using that method.

Multi-domain extended status

The CollectSSL API provides extended status for multi-domain orders, including all requested FQDNs and the current DCV status of each.

To request this information, call CollectSSL with your authentication details, the order ID, and showMDCDomainDetails=Y.