Sep 23, 2021

Important Note:

The improved domain validation process will reduce the number of validations required for the same domain contained in multiple certificates and allow faster validation for OV and EV certificates. Customers will be asked to perform domain validation for all domains via this new process, for both new orders and reissues, even if they were approved just prior to 1st June, 2020.  We apologize for the short term inconvenience caused by this architectural change, the long term benefits to permitting full customer control over domain validation will outweigh this.  We’d like to ask affected customers to make use of the improved process and prove domain control using the domain verification page. In cases where that is not possible, please contact GlobalSign Support.

Introduction

GlobalSign is making significant improvements to the domain validation process for Partner and Retail OV and EV SSL Certificates through its GlobalSign Certificate Center (GCC) to reduce the time and effort needed to verify domains.

The process enables domain validation to be done entirely by the Applicant, Reseller, or other entity that has applicable domain permissions, which enables the domains to be validated in a matter of minutes. This is a proven process that has been used in our Managed SSL (MSSL) platform, and we're excited to extend it to our remaining GlobalSign SSL products!

As an overview, upon submission of an OV or EV order, the Applicant is provided with a link to their order-specific Domain Verification Page (DVP) where the domain validations can be performed. This page lists all SANs in the order and permits the Applicant to select and/or change the domain validation method for each SAN or each domain, and then instruct GCC to perform the validation. In the event that the domain was recently verified for the same Organization (same Applicant), the domain validation of the prior order will be re-used and the domain will appear as already approved!

The DVP link is provided in several different ways so you'll always be able to find it:
 

1. Displayed on the order acknowledgement page
2. Emailed as part of the order acknowledgement email
3. Displayed within GCC when viewing the order details of a Certificate (Search Order History > Enter Order Number (from email) > Click order number and scroll to the bottom)


4. Available via the GCC SSL APIs

If you are still unable to locate the DVP, contact GlobalSign Support and we can send you your unique DVP URL. If you have any questions about the information presented here, please contact your Account Representative.

Domain Verification Page

Once you've placed your OV or EV order you will receive a link to the DVP. For OV orders, it will look similar to this:

Before you begin domain validation, be sure you understand who placed the order and that you're approving domains for a legitimate order. Once you've done that, focus your attention on the Domain Verification Code (DVC) portion of the page.  

SANs that share the same Domain Name will be grouped together so you can verify them all at once with a single domain verification step; those that don't share the same Domain Name will be listed individually. For each SAN in the table, you can select one of the domain validation methods listed below. Once GlobalSign has completed the Organizational validation and all of the domains have been approved, the Certificate will be issued. Organization validation and domain validation will happen in parallel.

Email Validation Method

The Email validation method allows you to validate a SAN by responding to a challenge sent to a specified email address.
 

1. In the DVC section of the Order Details Page, select the SAN you want to verify and then select the "Email" validation method from the drop down menu. Click Verify.
2. A pop-up window will be displayed similar to this one where you can select the email address you want to use, then you can click Send Verification Email.


3. Follow the instructions in the verification email which will have you visit a domain validation page where you review and then approve the domain.
4. The status of the SAN will change when it has been approved. 

Note: To perform domain verification using email validation method, kindly check the guidelines found here.

HTTP Validation Method

Note: The HTTP domain validation method will no longer be permitted for issuance of subdomains and wildcards effective - Nov 28th, 2021.

The HTTP validation method allows you to validate a SAN by uploading the supplied DVC to a specific website location. 
 

1. In the DVC section of the Order Details Page, select the SAN you want to verify and then select the "HTTP" validation method from the drop down menu. Click Verify.
2. A pop-up window will display. Follow the instructions listed in this window.


3. When you have placed the verification code in the designated location, click Verify.
4. GlobalSign will verify that the DVC is at the selected location and approve the SAN if successful.

Note: To perform domain verification using HTTP validation method, kindly check the guidelines found here.

DNS Validation Method

The DNS validation method is useful for domain owners that have easy access to their DNS provider and can create a DNS TXT record. 
 

1. In the DVC section of the Order Details page, select the SAN you want to verify and then select the "DNS" validation method from the drop-down menu. Click Verify.
2. A pop-up window will display. Follow the instructions listed in this window.


3. Once you have created a DNS TXT record for one of the permitted domains, click Verify.
4. GlobalSign will look for a DNS TXT record for the domain specified on this page.  If there is a DNS TXT record containing the DVC, then the SAN status will be changed to Approved.

Note: To perform domain verification using DNS validation method, kindly check the guidelines found here.

How to Remove Non-WWW SANs

GlobalSign will automatically include a non-www SAN when customers request a Certificate with a CN that begins with 'www'.  For example, if you request a Certificate with the common name of 'www.example.com,' we automatically include a SAN for 'example.com.' Customers may remove this extra SAN from the list by doing the following steps:
 

1. In the DVC section of the Order Details page, click the trash can icon next to the SAN you wish to remove. You can click the black triangle next to this SAN to see the other SANs listed under this domain.


2. A confirmation window will display. Click Remove to remove the SAN or Close to close the window without removing the SAN.
3. 

FAQs

What happens when my domain verification code expires?

When you access the DVC section, a message at the top of the page will display, indicating the current Domain Verification Code has expired. Click the Generate New DVC button to generate a new domain verification code. The page will re-load and display the new DVC, with the message at the top of the page: "Domain Verification Code (DVC) Has Been Renewed."  Any pending domains will need to be verified using this new DVC.

What happens when my SAN fails the security check?

When you verify your SANs, they may go into an "In security review" status, which means GlobalSign Vetting Agents are conducting security checks against the SAN. If the SAN fails the security check, the SAN status will be updated and your order will be automatically cancelled. You must re-order the Certificate and not include that SAN in the order for the order to be processed.

My validations were reset, what happened?

Since you rely on seeing accurate Organization information when approving domains, it may be necessary on occasion to reset the domain validation status if Organization information changed during our organization-level verification process. We apologize in advance if this happened, but it's a necessary security step.