Validate
Before a certificate authority (CA) will issue a certificate for a domain, the requester must prove they have control over that domain. This process is known as domain control validation (DCV).
Specific (non-wildcard) custom hostnames can use HTTP based DCV for certificate renewals, as long as:
- The hostname is pointing to the SaaS provider.
- The hostname's traffic is proxying through the Cloudflare network.
If your custom hostnames do not meet these requirements, use another validation method.
Wildcard custom hostnames require TXT-based validation. As the SaaS provider, you have two options for wildcard custom hostname certificate renewals:
- DCV Delegation (auto-issuance)
- Manual
If you want to minimize downtime, explore one of the following methods to issue and deploy the certificate before onboarding your customers:
- Delegated DCV: Place a one-time record at your authoritative DNS that allows Cloudflare to auto-renew all future certificate orders.
- TXT validation: Have your customers add a TXTrecord to their authoritative DNS.
- Manual HTTP validation: Add a TXTrecord at your origin.
If you value simplicity and your customers can handle a few minutes of downtime, you can rely on Cloudflare automatic HTTP validation.
To avoid or solve potential issues, refer to our troubleshooting guide.