Cloudflare Docs
SSL/TLS
SSL/TLS
Visit SSL/TLS on GitHub
Set theme to dark (⇧+D)

Domain Control Validation (DCV) — SSL/TLS

Before a Certificate Authority will issue a certificate for a domain, the requestor must prove they have control over that domain. This process is known as domain control validation (DCV).

​​ DCV situations

​​ No DCV required (Full DNS setup)

If your domain is on a full setup — meaning that Cloudflare runs your authoritative nameservers — Cloudflare handles DCV automatically on your behalf using a TXT record. For more details, refer to Enabling Universal SSL.


​​ DCV sometimes required (Partial DNS setup)

If your application is on a partial DNS setup — meaning that someone else runs your authoritative nameservers — you may need to perform additional steps to complete DCV.

​​ Non-wildcard certificates

If every hostname on a non-wildcard certificate is proxying traffic through Cloudflare, Cloudflare can automatically complete DCV on your behalf.

This applies to customers using Universal or Advanced certificates.

If one of the hostnames on the certificate is not proxying traffic through Cloudflare, certificate issuance and renewal will vary based on the type of certificate you are using:

  • Universal: Perform DCV using one of the available methods.
  • Advanced: In most cases, you can opt for Delegated DCV, which greatly simplifies certificate management.

​​ Wildcard certificates

For wildcard hostname certificates, certificate issuance and renewal varies based on the type of certificate you are using:

  • Universal: Perform DCV using one of the available methods.
  • Advanced: In most cases, you can opt for Delegated DCV, which greatly simplifies certificate management.

If you cannot use Delegated DCV, you need to use TXT based DCV for certificate issuance and renewal. This means you will need to place one TXT DCV token for every hostname on the certificate. If one or more of the hostnames on the certificate fails to validate, the certificate will not be issued or renewed.

This means that a wildcard certificate covering example.com and *.example.com will require two DCV tokens to be placed at the authoritative DNS provider. Similarly, a certificate with five hostnames in the SAN (including a wildcard) will require five DCV tokens to be placed at the authoritative DNS provider.


​​ DCV outside of Cloudflare (Custom certificates)

If your domain is using a custom certificate, you need to handle DCV on your own when you obtain certificates from a CA.