Validation Workflows
Validation Workflows
Section titled “Validation Workflows”When requesting certificates from Public CAs (Let’s Encrypt, DigiCert, Sectigo), you must prove you own the domain. This process is called “Domain Validation” (DV). SSL-CLM supports multiple automated workflows.
HTTP-01 Challenge (File-Based)
Section titled “HTTP-01 Challenge (File-Based)”This is the most common method for web servers.
How it works:
- Challenge: The CA says: “If you own
example.com, place a specific file athttp://example.com/.well-known/acme-challenge/<TOKEN>.” - Action: SSL-CLM (or the Agent) creates this file on your web server.
- Verify: The CA makes an HTTP request to that URL.
- Result: If the content matches, the certificate is issued.
Pros: Simple, works for any web server. Cons: Requires port 80 to be open to the public internet. Does not work for Wildcard certificates.
DNS-01 Challenge (Record-Based)
Section titled “DNS-01 Challenge (Record-Based)”This is required for Wildcard certificates (*.example.com).
How it works:
- Challenge: The CA says: “Create a DNS TXT record at
_acme-challenge.example.comwith value<RANDOM_STRING>.” - Action: SSL-CLM connects to your DNS Provider (Route53, Cloudflare, Azure DNS) via API and creates the record.
- Verify: The CA queries public DNS.
- Result: If the record exists, the certificate is issued.
- Cleanup: SSL-CLM deletes the TXT record.
Pros: Secure, doesn’t require open inbound ports. Works for Wildcards. Cons: Requires API credentials for your DNS provider. Slower (DNS propagation).
Email Validation
Section titled “Email Validation”Legacy method.
- Process: The CA sends an email to
admin@example.comorhostmaster@example.com. - Action: A human must click the link in the email.
- Automation: Not supported for full automation. Avoid if possible.