Validate
Before a certificate authority (CA) will issue a certificate for a domain, the requester must prove they have control over that domain. This process is known as domain control validation (DCV).
DCV situations
Section titled “DCV situations”Non-wildcard certificates
Section titled “Non-wildcard certificates”Specific (non-wildcard) custom hostnames can use HTTP based DCV for certificate renewals, as long as:
- The hostname is pointing to the SaaS provider.
- The hostname's traffic is proxying through the Cloudflare network.
If your custom hostnames do not meet these requirements, use another validation method.
Wildcard certificates
Section titled “Wildcard certificates”Wildcard custom hostnames require TXT-based validation. As the SaaS provider, you have two options for wildcard custom hostname certificate renewals:
- DCV Delegation (auto-issuance)
- Manual
Minimize downtime
Section titled “Minimize downtime”If you want to minimize downtime, explore one of the following methods to issue and deploy the certificate before onboarding your customers:
- Delegated DCV: Place a one-time record at your authoritative DNS that allows Cloudflare to auto-renew all future certificate orders.
- TXT validation: Have your customers add a
TXTrecord to their authoritative DNS. - Manual HTTP validation: Add a
TXTrecord at your origin.
Minimize customer effort
Section titled “Minimize customer effort”If you value simplicity and your customers can handle a few minutes of downtime, you can rely on Cloudflare automatic HTTP validation.
Potential issues
Section titled “Potential issues”To avoid or solve potential issues, refer to our troubleshooting guide.
Was this helpful?
- Resources
- API
- New to Cloudflare?
- Products
- Sponsorships
- Open Source
- Support
- Help Center
- System Status
- Compliance
- GDPR
- Company
- cloudflare.com
- Our team
- Careers
- 2025 Cloudflare, Inc.
- Privacy Policy
- Terms of Use
- Report Security Issues
- Trademark