Cloudflare Docs
SSL/TLS
Cloudflare Docs
SSL/TLS
Search icon (depiction of a magnifying glass)
GitHub icon
Visit SSL/TLS on GitHub
Set theme to dark (⇧+D)
  1. Products  >  
  2. SSL/TLS  >  
  3. ...  >  
  4. Domain Control Validation (DCV)  >  
  5. Methods

DCV Methods

Before a Certificate Authority will issue a certificate for a domain, the requestor must prove they have control over that domain. This process is known as domain control validation (DCV).

​​ Perform DCV

For details on each method available for DCV, refer to the following resources:

​​ DCV - Full zones

For full zones1, the only required action is to confirm the your nameservers are still pointing to Cloudflare.

Certificates on full zones - whether using a wildcard hostname or not - will be automatically renewed and validated without any action from you. Cloudflare can complete DCV on your behalf by serving the TXT DCV tokens.

​​ DCV - Partial zones

For partial zones2, the process depends on whether the certificate uses a wildcard hostname.

Non-wildcard hostname certificates will automatically renew as long as every hostname on the certificate is proxying traffic through Cloudflare.

However, if one or more of the hostnames on the certificate is not proxying through Cloudflare, the certificate will not issue and you will be required to complete DCV for each hostname not proxied - which will require manually updating the DCV token or proxying the hostname - in order for the certificate to renew.

Wildcard hostname certificates will be required to use TXT based DCV for renewals of the certificate. You will need to place one TXT DCV token for every hostname on the certificate for it to successfully renew. If one or more of the hostnames on the certificate fail to validate, the certificate will not be renewed.

This means that a wildcard certificate covering example.com and *.example.com will require two DCV tokens to be placed at the authoritative DNS provider. Similarly, a certificate with five hostnames in the SAN (including a wildcard) will require five DCV tokens to be placed at the authoritative DNS provider.

​​ Verify DCV status

To verify the DCV status of a certificate, either monitor the certificate’s status in the dashboard at SSL/TLS > Edge Certificates or use the Verification Status endpoint.

A status of active means that the certificate has been deployed to Cloudflare’s edge network and will be served as soon as HTTP traffic is proxied to Cloudflare.

​​ Update DCV methods

You cannot update the DCV method for an active certificate. To update the DCV method for a subdomain, wait until the DCV expires and then change the DCV method.

  1. Meaning that Cloudflare is your Authoritative DNS provider. ↩︎

  2. Meaning that another DNS provider - not Cloudflare - maintains your Authoritative DNS. ↩︎