Cloudflare Docs
SSL/TLS
SSL/TLS
Visit SSL/TLS on GitHub
Set theme to dark (⇧+D)

HTTP DCV method

When you choose HTTP DCV, Cloudflare automatically adds a verification HTTP token to your domain.

Only use this method if your domain can tolerate a few minutes of downtime.

​​ Limitations

HTTP DCV is only available for proxied domains.

HTTP DCV validation also does not work for wildcard certificates or certificates with multiple SANs.

If you want to use wildcard certificates or pre-validate your certificate — either to avoid downtime or prevent any issuance errors — use TXT or Email validation.

Based on your chosen Certificate Authority, you may also not be able to use HTTP verification with advanced certificates.

Selecting Let’s Encrypt as a CA limits a certificate to a TXT Certificate validation method, 90 days for the Certificate Validity Period, two host entries (one for the zone name and one for the subdomain wildcard of the zone name, such as example.com and *.example.com).

If using the API to order your certificate, this action also defaults cloudflare_branding to false.

​​ Setup

​​ Specify DCV method

If you want to use a Universal SSL certificate, you will need to edit the validation_method via the API and specify your chosen validation method.

Alternatively, you could order an advanced certificate via the API.

In either case, you would need to set a "validation_method":"http" parameter.

​​ Review other Cloudflare settings

To make sure your domain does not accidentally block HTTP DCV, review your Cloudflare settings for common setup issues.

​​ Complete DCV

Your HTTP token will be available for the Certificate Authority as soon as you finish your partial domain setup.

This means that you need to add a CNAME record to Cloudflare in your authoritative DNS and create proxied DNS records for your hostname within Cloudflare.

This process may involve a few minutes of downtime.

What happens after you create your records

Cloudflare contacts one of our Certificate Authority providers and asks them to issue certificates for the specified hostname. The CA will then inform Cloudflare that we need to “demonstrate control” of this hostname by returning a $DCV_TOKEN at a specified $DCV_FILENAME; both the token and the filename are randomly generated by the CA and not known to Cloudflare ahead of time.

For example, if you create a new custom hostname for site.example.com, the CA might ask us to return the value ca3-38734555d85e4421beb4a3e6d1645fe6 for a request to http://site.example.com/.well-known/pki-validation/ca3-39f423f095be4983922ca0365308612d.txt". As soon as we receive that value from the CA we make it accessible at our edge and ask the CA to confirm it’s there so that they can complete validation and the certificate order.

To check whether your certificates have been validated and reissued:

  • Dashboard: Find the certificate(s) SSL/TLS > Edge Certificates and make sure that the Status is Active.
  • API: Send a GET request and confirm that your certificate(s) have "status": "active".

​​ Renew DCV tokens

If possible, DCV tokens for proxied hostnames are always renewed via HTTP.

However, some certificates — for example, if you are using wildcard certificates or certificates with multiple SANs or your hostname is not proxied — are not eligible for HTTP validation.

If your certificate is not eligible for HTTP validation, you will need to repeat the DCV process with your chosen method.