SSL certificate maximum validity is being reduced to 200 days from March 2026. Read more →

SSL Certificates

Cheap SSL DV SSL Wildcard SSL Multi-Domain (SAN) OV & EV SSL

Specialty Certificates

Code Signing Document Signing Email / S/MIME VMC / BIMI
In effect now Certificate Lifetime

Automation

Overview Auto DNS FairSSL vs Let's Encrypt

Platforms

Windows Setup Linux & Kubernetes Appliances ACME Clients

Tools

SSL Scanner Certificate Decoder CAA Generator

Guides

Windows Server Linux & Open Source All guides

Company

About Us Contact Installation Service
News

Language

Dansk Svenska English

Currency

Login Create Account

Domain Validation

Before a Certificate Authority (CA) issues your SSL certificate, they must confirm that you control the domain. There are four methods. Choose the one that suits your situation.

For multi-domain certificates you can use different methods for each domain name.

1

Email validation

Fastest method: click an approval link

The CA sends an email to a predefined address on the domain. You click a link and approve the issuance.

You can only choose from these 5 addresses:

admin@ administrator@ webmaster@ hostmaster@ postmaster@

The addresses must exist on the domain itself, e.g. admin@fairssl.dk. For subdomains, the address can be on the main domain or the subdomain.

Advantages

  • Fast, typically completed in minutes
  • No changes to DNS or the server required
  • Works for all certificate types including wildcards

Limitations

  • Only 5 fixed addresses, you cannot use others
  • Requires the email address to actually receive mail
  • Not suitable for automation (ACME)
2

DNS validation (TXT or CNAME)

Create a DNS record that proves domain control

The CA gives you a unique code. You create a TXT record or CNAME record in the domain's DNS with this code. The CA verifies that the record is available.

Note: This is not the same as AutoDNS (method 3). Here you create a new record per validation, at renewal you must create a new record again.

Example: DNS TXT record

_dnsauth.fairssl.dk.  IN  TXT  "unique-validation-code-from-ca"

Advantages

  • No web server required, only DNS access
  • Works for wildcards
  • Supported by all CAs

Limitations

  • New record required at every renewal
  • Requires access to the DNS panel
  • DNS propagation can take time (minutes to hours)
3

AutoDNS (recommended)

One permanent CNAME: we validate automatically forever

AutoDNS is FairSSL's recommended method. You create one permanent CNAME record pointing _dnsauth.yourdomain.com to a unique destination at FairSSL. We then handle all validation automatically, including at renewal.

You never need to touch DNS again after the initial setup.

Example: AutoDNS CNAME record

_dnsauth.fairssl.dk.  IN  CNAME  abcd1234.dcv.fairssl.dk.

The unique destination is specific to your account and domain.

Supported CAs

AutoDNS works with the DigiCert brands: Thawte, RapidSSL, GeoTrust and DigiCert. GlobalSign and Sectigo use standard DNS TXT validation (method 2).

Advantages

  • Set and forget: create once, validation happens automatically
  • Perfect for ACME automation
  • Works for wildcards
  • No DNS API keys required
  • Servers need no inbound internet access

Limitations

  • DigiCert brands only (Thawte, RapidSSL, GeoTrust, DigiCert)
  • Requires DNS access for the initial setup
4

HTTP/URL validation

Place a file on the web server

The CA gives you a unique code. You create a file containing the code at a specific URL path on your web server. The CA checks that the file is accessible via HTTP or HTTPS.

Example: HTTP validation file

http://fairssl.dk/.well-known/pki-validation/fileauth.txt
Contents: unique-validation-code-from-ca

Important rules for HTTP validation

  • ! All names must respond simultaneously. Each domain name in the certificate must respond with the validation code at its own URL. If one name is missing, the certificate or that name may be blocked.
  • ! No redirects. The file must respond directly on the specified domain, not via a redirect to another domain.
  • ! No wildcards. HTTP validation is not supported for wildcard certificates.

Advantages

  • No DNS access required
  • Only web server access needed

Limitations

  • Does not support wildcards
  • All names must respond simultaneously, no exceptions
  • No redirects allowed
  • Requires a running web server with public access

Comparison of validation methods

Email DNS TXT/CNAME AutoDNS HTTP/URL
Wildcards
Automatic renewal Manual ✓ automatic ACME possible
Requires Email address DNS access DNS (once) Web server
All CAs DigiCert brands
Best for Quick manual validation Servers without web ACME, automation Simple web servers

Frequently asked questions about domain validation

Find answers to the most common questions about SSL certificates and FairSSL.

Email validation is typically the fastest. You receive an email and click an approval link. DNS and HTTP can also be completed in minutes, but require access to DNS or the web server.
Yes. For multi-domain (SAN) certificates, each domain name can be validated with its own method. For example, email for one domain and DNS for another.
With DNS TXT you manually create a new TXT record for each validation (and at every renewal). With AutoDNS you create one permanent CNAME record pointing to FairSSL, and we handle all future validations automatically.
No. Wildcard certificates require DNS validation (TXT or AutoDNS CNAME). HTTP validation is not supported for wildcards.
All domain names in the certificate must respond with the validation code at the same time. If one name does not respond (e.g. due to a redirect or downtime), the certificate or that specific name may be blocked. Use DNS validation for names you do not have full control over.
AutoDNS supports the DigiCert brands: Thawte, RapidSSL, GeoTrust and DigiCert. GlobalSign and Sectigo use standard DNS TXT validation.

Ready to validate your domain?

Create a free account and issue your first certificate in under 10 minutes.

Create free account Compare certificates