Skip to content

Instantly share code, notes, and snippets.

@pzb
Last active July 4, 2016 16:28
Show Gist options
  • Star 1 You must be signed in to star a gist
  • Fork 0 You must be signed in to fork a gist
  • Save pzb/3b57ddac91ccf0e4c814 to your computer and use it in GitHub Desktop.
Save pzb/3b57ddac91ccf0e4c814 to your computer and use it in GitHub Desktop.

DNS-Based Authorization by Domain Name Registrant

In the definitions below, $FQDN represents the Fully-Qualified Domain Name (FQDN) requested in the certificate subject, $DOMAIN represents the Registered Domain Name portion of the FQDN, and ${FQDN-n} is the FQDN with the first n labels pruned.

Comodo

Calculate the MD5 and SHA1 hashes of the DER encoding of the CSR that will be sent to Comodo. Let these be $CSRMD5 and $CSRSHA1 respectively. If requesting a non-wildcard FQDN, create the following record:

$CSRMD5.$FQDN. IN CNAME $CSRSHA1.comodoca.com.

If requesting a wildcard FQDN, create the following record:

$CSRMD5.${FQDN-1}. IN CNAME $CSRSHA1.comodoca.com.

GlobalSign

The appliance will send a CSR and GlobalSign will return a challenge string. Let this be $CHALLENGE. Create the following record:

$DOMAIN. IN TXT "globalsign-domain-verification=$CHALLENGE"

Go Daddy

The applicant will send a CSR and GoDaddy will return a 7 character challenge string. Let this be $CHALLENGE. Create the following record:

dzc.$DOMAIN. IN TXT "$CHALLENGE"

Symantec

The applicant will send a CSR and Symantec will return a 31 character challenge string. Let this be $CHALLENGE. Calculate the current time in the format YYYYMMDDHHMMSS and let this be $TIMESTAMP. Create the following record:

s$CHALLENGE.$DOMAIN. IN CNAME s$TIMESTAMP.$DOMAIN.

The timestamp must be within 24 hours of time Symantec validates the domain authorization.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment