SIGNIFLOW

Discover our signature platform: sign and request signature for your PDFs in a fex clicks!

JOIN OUR AFFILIATE NETWORK

Join our affiliate network
and become a local SSL expert
Learn more about our program

PRODUCTS TO DISCOVER

SSL certificates Invoice signature eIDAS certificates Signature software

Menu
picture of tbs certificates
picture of tbs certificates
Certificates
ALL CERTIFICATES
SSL Extended Validation SSL Standard RGS certificates eIDAS certificates SSL ECC SSL wildcard SSL Multiple sites / SAN Quick and Dirty SSL
Specific certificates VMC certificates
E-signature Strong authentication S/MIME certificates
Test certificates PKI Solutions Trust Seals
SigniFlow: the platform to sign and request signature for your documents
Signature software
Our products range
TBS X509 DigiCert Thawte Sectigo GlobalSign GeoTrust Certigna ChamberSign SigniFlow Harica
Partners
Client login Customer accounts Open an account
Support
FAQ SHA256: Browsers' compatibility ECC: Browsers' compatibility
Focus
Invoices dematerialization
We now provide solutions compliant with RGS** and eIDAS qualified standards for invoices signature and time stamping. Further information


GlobalSign: What is the DCV challenge?

The DCV challenge -standing for Domain Control Validation- is a procedure to let us know that the person requesting a certificate is dully authorized to do so by the domain's technical manager. The validation of the DCV challenge sets the certificate issuance. It is an additional vetting . 

The different kinds of DCV challenge

You can choose among several kinds of DCV challenge when placing your certificate orders:

The DCV E-mail

It is quite simple: an e-mail is sent to an e-mail address visible in the domain ownership title (whois) or to one of the following generic addresses:   

  • admin@dom.ain
  • administrator@dom.ain
  • hostmaster@dom.ain
  • webmaster@dom.ain
  • postmaster@dom.ain

The e-mail addresses list depends on the requested FQDN (Internet address to be secured and provided in the CSR) of the order form (test it here now).
If none of those e-mail addresses is valid you can edit the contact information of your domain name's registration data via your domain name supplier.

You can also modify the address and request the e-mail to be sent again via your certificate status page.

How to get prepared?

To pass this control, you will have to be the recipient of the DCV e-mail.

You are invited to check right now that you'll actually be able to receive e-mails on one of the generic addresses above. Run some tests by sending e-mails to those addresses.
Make sure as well that your anti-spam system won't hold e-mails from: no_reply@globalsign.com

If you are not the recipient of any of those addresses ask the persons who are to forward the DCV e-mails to you.

But we do advise to create an e-mail address not existing yet (administrator@dom.ain?) that would point directly at you. You'll save a lot of time and won't have to wait for someone to forward you the e-mail.

If you are a supplier requesting a certificate for one of your customers you'll have to pass the information on. If you manage their domain names as well make sure there is a redirection from the generic address to your customer e-mail address

When is this e-mail sent?

The DCV e-mail is sent when your order is transferred to the certification authority. It is valid for 30 days.
From your certificate status page you can follow the audit progress and have the e-mail re-sent to the selected address.

The DCV by e-mail address present in the DNS

To use this method, you must add a TXT entry in your DNS configuration. The entry should be in the following form:

  • Subdomain : _validation-contactemail
  • Value : email@example.fr

After saving, the result is :

dig txt _validation-contactemail.easyx509.com
 
;; ANSWER SECTION:
_validation-contactemail.easyx509.com. 3600 IN TXT "devcert-dnstxt@tbs-internet.com"

In the same way as the DCV E-mail method, an e-mail will be sent to the address registered in the DNS record.

GlobalSign does not offer this option automatically. You will need to contact us if you wish to use this method of DCV validation.

The DCV HTTP / HTTPS

Note : Since December 1st 2021 and a CA/B Forum decision, the HTTP or HTTPS DCV method cannot be used for wildcard certificates anymore. Only the methods by email or DNS will be proposed to you.

How does it work?

When your order is transferred to the certification authority, a code is created from your CSR. Copy this code in a text file which will have the name "gsvd.txt". This file should be in the .well-known/pki-validation/ sub-directory of your site in HTTP or HTTPS (the file must be accessible via the Internet). A robot will check for the presence of this file then its contents. If the information is consistent with the information given the challenge will be validated.

Also: Let's imagine you want a certificate to secure subdom.domain.com, the robot will search for the file in the .well-known/pki-validation/ sub-directory of subdom.domain.com. For multi-site certificate securing several sub-domains, one file will have to be placed in the .well-known/pki-validation/ sub-directory of each sub-domain.

If you are using a Windows Server, the creation of the .well-known directory might be difficult, this is why we have published a documentation about this step.

As a reminder : this file must be named "gsvd.txt", must not be renamed nor edited.

IP addresses of GlobalSign servers

Need to configure permissions for accessing your HTTP file? Here are the GlobalSign IPs:

  • 104.18.21.226
  • 104.18.20.226

The DCV DNS - The specialist's solution

It is a technical handling that aims to add a TXT entry to your server DNS configuration.

How does it work?

When your order is transferred to the certification authority The CSR you provided is hashed and you will have to configure your server with the resulting values. The TXT entry will have the form:

_globalsign-domain-verification=codesecret

For example :

subdom.domain.com.     3600    IN      TXT     
"_globalsign-domain-verification=20180222202651ztkf61glu4h63r88opc9g1n5y5hveqf8r2t7cwuxugdiu72x1y"

Warning If you chose a hosting company such as OVH or GANDI,the configuration will not be taken into account instantaneously. It takes from 10mn to an hour for the modification to be effective (not to mention the propagation time defined in your DNS configuration: TTL).

Specific procedures

How to relaunch the DCV challenge?

No matter the type of DCV challenge you selected, it is always possible to be relaunched (either by asking for the e-mail to be sent again or for the robot to check again the .txt file or the DNS configuration).

To do so, go on your certificate status page and click on the 'Follow up on DCV challenge' button.

If you encounter difficulties, it is possible to contact GlobalSign support directly by chat: GlobalSign support.
Go down to the bottom of the page and click on "Chat with Us" and then on the right side "Live chat".

Which products are concerned?

All GlobalSign certificates. The procedure is applied to new orders, renewals or reissuances.

DCV DNS, HTTP and HTTPS: The robot schedule

If, during its first visit, the robot does not find the file, it comes again regularly:

  • Every minute for the first 15 minutes
  • Every five minutes for an hour
  • Every 15 minutes for 4 hours
  • Every hour for a day
  • Every 4 hours for 2 weeks
  • and every day for 30 days