Verifying Your Domain with Entrust's Web Server Method: A Step-by-Step Guide

Summary

Guide explains how to successfully verify a domain using the automated Web Server domain validation method as well as best practices to ensure Entrust can detect the random value.

Entrust_banner

Entrust offers various methods to verify your domain ownership when requesting digital certificates. One of the methods to verify control over the domain is the "Web Server" method, also referred to as the "Agreed-Upon Change to Website v2" in the CA/Browser Forum Baseline Requirements (section 3.2.2.4.18). This method involves demonstrating control over your domain by adding a specific file to your website. Here's a comprehensive guide for Entrust customers on how to successfully verify their domain using this method.

Understanding the Web Server Method

The Web Server method requires you to place a text file containing a unique, randomly generated value provided by Entrust in a specific directory on your website. This file, named verify.txt, must be located within the following path:

/.well-known/pki-validation/

When you choose the Web Server method, Entrust will generate this random value for your domain. Your task is to create the verify.txt file and paste this provided value into it.

Steps for HTTP and HTTPS Sites

The process is essentially the same whether your website uses HTTP or HTTPS. The key is to ensure the file is accessible at the designated path on your website.

Note: For instructions on how to verify your domain using different Web Servers such as Apache, Tomcat etc., refer to our knowledgebase article .

Receive Your Random Value: After submitting your domain for validation using the Web Server, Entrust will provide you with the unique random value associated with your domain.

  1. Create the verify.txt File: Using a text editor, create a new file named verify.txt.
  2. Paste the Random Value: Copy the random value provided by Entrust and paste it into the verify.txt file. Ensure there are no extra spaces or characters.
    • Create the Directory Structure: If the /.well-known/pki-validation/ directory structure does not already exist on your web server, you will need to create it.
  3. Upload the File: Upload the verify.txt file to the /.well-known/pki-validation/ directory on your web server.

Verification : By default, Entrust will automatically attempt to access the file at http://yourdomain.com/.well-known/pki-validation/verify.txt or https://yourdomain.com/.well-known/pki-validation/verify.txt if there is a proper redirect in place.

Verification and the Role of HTTP and HTTPS

Entrust's system will attempt to access the file via HTTP, i.e., http://yourdomain.com/.well-known/pki-validation/verify.txt.

  • If your site is configured for HTTP and the verify.txt file is correctly placed and accessible via HTTP, Entrust will find the file, verify the content, and a 200 OK status should be presented, completing the validation.
  • If your site is configured for HTTP but redirects to another FQDN , Entrust will NOT follow that redirect.
  • If your site uses HTTP but a redirect to HTTPS is in place, Entrust will follow that redirect. This is common and acceptable. The redirect should use one of the approved redirect status codes (301, 302, 307, 308). After following the redirect to HTTPS, Entrust will then check for the verify.txt file at the HTTPS address and expect a 200 OK status code for successful verification.
  • If your site is only configured for HTTPS, and does not redirect HTTP requests, Entrust will be unable to validate using this method, as the initial HTTP request will fail. You may need to use a different validation method, or temporarily redirect HTTP to HTTPS.

In essence, Entrust's system behavior can be summarized as follows:

  1. Try HTTP first: Entrust always tries HTTP first by default.
  2. Follow HTTP to HTTPS redirects: If there's a redirect to HTTPS address using the proper redirect code, Entrust will follow it.
  3. HTTPS only: If the site is only available via HTTPS and does not redirect HTTP requests, this validation method will fail.

Important Reminder about Redirects:

It's important to ensure that any redirects, especially from HTTP to HTTPS, are implemented correctly using one of the approved status codes (301, 302, 307, or 308). If a site is only accessible via HTTPS without an HTTP redirect, or if an improper redirect code is used, the Web Server validation method will fail because Entrust will initially be unable to locate the verify.txt file via the default HTTP check.

Important Considerations

Case Sensitivity: Ensure that the directory and file names are entered exactly as specified (case-sensitive).

File Content: The verify.txt file must only contain the random value provided by Entrust, with no additional characters or formatting.

Accessibility: The file must be publicly accessible on your web server.

Entrust also offers other domain verification options:

  • Email Verification: Receive and respond to a verification email sent to an administrative address associated with your domain.
  • DNS Verification: Add a specific TXT record to your domain's DNS zone.

For more information, refer to our knowledgebase article .