Domain-validated certificate

(Redirected from Domain validation) X.509 public key certificate "Domain validation" redirects here. For the technique employed in Parallel SCSI, see Parallel SCSI § Ultra-3.

A domain validated certificate (DV) is an X.509 public key certificate typically used for Transport Layer Security (TLS) where the domain name of the applicant is validated by proving some control over a DNS domain. Domain validated certificates were first distributed by GeoTrust in 2002 before becoming a widely accepted method.

Issuing criteria

The sole criterion for a domain validated certificate is proof of control over whois records, DNS records file, email or web hosting account of a domain. Typically control over a domain is determined using one of the following:

Response to email sent to the email contact in the domain's whois details
Response to email sent to a well-known administrative contact in the domain, e.g. (admin@, postmaster@, etc.)
Publishing a DNS TXT record
Publishing a nonce provided by an automated certificate issuing system

A domain validated certificate is distinct from an Extended Validation Certificate in that this is the only requirement for issuing the certificate. In particular, domain validated certificates do not assure that any particular legal entity is connected to the certificate, even if the domain name may imply a particular legal entity controls the domain.

User interface

Main article: Extended Validation Certificate § Creation of special UI indicators in browsers

As of 2020, all major browsers user interfaces display EV, OV, and DV certificates identically, but provide options to query the type of certificate via multiple clicks.

Characteristics

As the low assurance requirements allow domain validated certificates to be issued quickly without requiring human intervention, domain validated certificates have a number of unique characteristics:

Domain validated certificates are used in automated X.509 certificate issuing systems, such as Let's Encrypt.
Domain validated certificates are often cheap or free.
Domain validated certificates can be generated and validated without any documentation.
Most domain validated certificates can be issued instantly (in less than a minute) via special tools which automate issuing process.

References

Coclin, Dean (2013-08-13). "What Are the Different Types of SSL Certificates?". Certificate Authority Security Council. Retrieved 2019-12-20.
"There's certs and certs – VeriSign badmouths rivals". www.theregister.com.
"What's the difference between DV, OV & EV SSL certificates?". www.digicert.com. Retrieved 2021-09-05.

TLS and SSL

Protocols and technologies

Transport Layer Security / Secure Sockets Layer (TLS/SSL)
Datagram Transport Layer Security (DTLS)
Server Name Indication (SNI)
Application-Layer Protocol Negotiation (ALPN)
DNS-based Authentication of Named Entities (DANE)
DNS Certification Authority Authorization (CAA)
HTTPS
HTTP Strict Transport Security (HSTS)
HTTP Public Key Pinning (HPKP)
OCSP stapling
Opportunistic TLS
Perfect forward secrecy

Public-key infrastructure

Automated Certificate Management Environment (ACME)
Certificate authority (CA)
CA/Browser Forum
Certificate policy
Certificate revocation
- Certificate revocation list (CRL)
- Online Certificate Status Protocol (OCSP)
- OCSP stapling
Domain-validated certificate (DV)
Extended Validation Certificate (EV)
Public key certificate
Public-key cryptography
Public key infrastructure (PKI)
Root certificate
Self-signed certificate

Misplaced Pages