Cloudflare Docs
Visit SSL/TLS on GitHub
Set theme to dark (⇧+D)

Domain control validation flow

In order to obtain Universal, Advanced, and Custom hostname certificates, Cloudflare partners with different publicly trusted certificate authorities (CAs).

However, every time a CA is requested to issue or renew a certificate, the requester must prove that they have control over the domain. That is when the DCV process takes place, with the proof usually consisting of placing an HTTP token at a standard URL path (/.well-known/pki-validation), or placing a TXT record at the authoritative DNS provider.

​​ Where Cloudflare sits in the DCV process

For the use cases mentioned above, there are three different parties involved in the process:

  • The website or application for which the certificate is issued.
  • The requester (Cloudflare).
  • The CA that processes the request.

​​ Steps in the process

In summary, five steps have to succeed after Cloudflare requests a CA to issue or renew a certificate:

  1. Cloudflare receives the DCV tokens from the CA.
  2. Cloudflare either places the tokens on your behalf (Full DNS setup, Delegated DCV), or makes the tokens available for you to place them.
  3. Cloudflare polls the validation URLs to check for the tokens.
  4. After Cloudflare can confirm that the tokens are placed via multiple DNS resolvers, the CA is asked to check as well.
  5. If the CA can confirm the tokens are placed, the certificate gets issued. If the CA cannot confirm the tokens are placed, the certificate is not issued and the tokens are no longer valid.

​​ Aspects to consider

  • DCV tokens also have validity periods. If you are handling the DCV process manually, it is recommended that you place the tokens as soon as the certificate is up for renewal. Otherwise, the tokens may expire and new tokens will be required.
  • Settings that interfere with the validation URLs can cause issues with your certificate issuance or renewal. Refer to the troubleshooting guide.
  • The DCV tokens are generated and controlled by the CA and not by Cloudflare.
  • Certificate authority authorization (CAA) records may block certificate issuance. Refer to CAA records.