Skip to content

Domain control validation (DCV)

Before a certificate authority (CA) will issue a certificate for a domain, the requester must prove they have control over that domain. This process is known as domain control validation (DCV).


For custom certificates, DCV will always be handled by you, when you request the certificate from the CA.

For certificates issued through Cloudflare, this process may be done automatically or it may require you to take action, as described in the following sections.


Full DNS setup - no action required

If your domain is on a full setup — meaning that Cloudflare runs your authoritative nameservers — Cloudflare handles DCV automatically on your behalf using a TXT record. For more details, refer to Enable Universal SSL.


Partial DNS setup - action sometimes required

If your application is on a partial DNS setup — meaning that Cloudflare does not run your authoritative nameservers — you may need to perform additional steps to complete DCV.

Non-wildcard certificates

If every hostname on a non-wildcard certificate is proxying traffic through Cloudflare, Cloudflare can automatically complete DCV on your behalf.

This applies to customers using Universal or Advanced certificates.

If one of the hostnames on the certificate is not proxying traffic through Cloudflare, certificate issuance and renewal will vary based on the type of certificate you are using:

  • Universal: Perform DCV using one of the available methods.
  • Advanced: In most cases, you can opt for Delegated DCV, which greatly simplifies certificate management.

Wildcard certificates

For wildcard hostname certificates, certificate issuance and renewal varies based on the type of certificate you are using:

  • Universal: Perform DCV using one of the available methods.
  • Advanced: In most cases, you can opt for Delegated DCV, which greatly simplifies certificate management.

If you cannot use Delegated DCV, you need to use TXT based DCV for certificate issuance and renewal. This means you will need to place one TXT DCV token for every hostname on the certificate. If one or more of the hostnames on the certificate fails to validate, the certificate will not be issued or renewed.

This means that a wildcard certificate covering example.com and *.example.com will require two DCV tokens to be placed at the authoritative DNS provider. Similarly, a certificate with five hostnames in the SAN (including a wildcard) will require five DCV tokens to be placed at the authoritative DNS provider.