jspωiki
Domain Validated Certificate

Overview#

Domain Validated Certificate the lowest and most common Certificate Level Of Assurance issued from a Certificate Authority checks the Control of the applicant to use a specific DNS Domain.

No company identity information is vetted and no information is displayed other than encryption information within the Secure Site Seal.

Domain Validated Certificate is simply for confidentiality, (e.g. encryption)

Domain Validated Certificate#

Domain Validated Certificate is the lowest Certificate Level Of Assurance and usually consists only of "Domain Control Validation" Registration Authority (or Certificate Authority) MUST only issue a certificate after performing Domain Control Validation (DCV). One way of validating domain ownership is through HTTP validation, done by uploading a text file to a specific HTTP endpoint on the Website they want to secure. Another DCV method is done using email verification, where an email with a validation code link is sent to the administrative contact for the DNS Domain.

HTTP Validation #

Suppose Alice buys the DNS Domain name aliceswonderland.com and wants to get a dedicated certificate for this domain. Alice chooses to use Lets encrypt as their Certificate Authority. First, Alice must generate their own Private Key and create a Certificate Signing Request (CSR). She sends the CSR to Let’s Encrypt, but the Certificate Authority won’t issue a certificate for that CSR and Private Key until they know Alice owns aliceswonderland.com. Alice can then choose to prove that she owns this domain through HTTP validation.

When Let’s Encrypt performs DCV over HTTP, they require Alice to place a randomly named file in the /.Well-known/acme-challenge path for her website. The CA must retrieve the text file by sending an HTTP GET request to http://aliceswonderland.com/.well-known/acme-challenge/<random_filename>. An expected value must be present on this endpoint for DCV to succeed.

For HTTP validation, Alice would upload a file to http://aliceswonderland.com/.well-known/acme-challenge/YnV0dHNz

where the body contains:

curl http://aliceswonderland.com/.well-known/acme-challenge/YnV0dHNz

GET /.well-known/acme-challenge/YnV0dHNz
Host: aliceswonderland.com

HTTP/1.1 200 OK
Content-Type: application/octet-stream

YnV0dHNz.TEST_CLIENT_KEY
The CA instructs them to use the Base64 token YnV0dHNz. TEST_CLIENT_KEY in an account-linked key that only the certificate requestor and the CA know. The CA uses this field combination to verify that the certificate requestor actually owns the domain. Afterwards, Alice can get her certificate for her website!

More Information#

There might be more information for this subject on one of the following: