Phone sales support +39 0575 05077
  Phone technical support +39 0575 0508
SSL Certificates

An SSL (Secure Sockets Layer) Certificate is a digital certificate that authenticates the identity of a website and encrypts communication between the server and the visitors’ browser. It establishes a secure communication channel which protects sensitive data, such as login details, payment details and other personal information.

When a user visits a website that has a valid SSL Certificate, the browser verifies that the certificate is authentic and that the website is safe, displaying a green padlock symbol in the browser bar.

How to validate a domain

 

Why validate a domain?

Domain Control Validation or DCV is used to demonstrate to the Certification Authority (CA) that you have control of all the domains (FQDN) to be included in the Certificate.

 

How to validate a domain

To validate a domain, you need to follow the instructions in the guide; once you get to step 4, in the Domains to be certified section, specify:
  • the name of the domain with which you want to associate the SSL Certificate (automatically recovered from the CSR already provided);
     
    In the case of a SAN SSL Certificate, to add other domains, click on Add domain to enter the additional domain name and your preferred validation method.
     
    WARNING: This is the only point in the process in which additional domains can be entered.
  • which of the following validation methods you intend to use:
    • email sent to the domain administrator (email-admin)
    • email sent to a domain contact (email-contact)
    • file published on HTTP server (website-change) - not available for WildCard certificates
    • TXT record created on the domain (dns-change)
    • Aruba domain database (query-aruba) - ONLY for OV and EV certificates


       
      The range of domain validation methods supported may change as a result of changes to regulations (e.g. an update to the CAB Forum's Baseline Requirements) and if it is demonstrated that some methods are vulnerable to security attacks.

      Below is an overview of the types of validation offered:
       
      If you choose this method, the CA will send an email to the administrator of the domain to be validated (or a higher level domain) using one of the standard preferred email accounts, namely: [email protected], [email protected], [email protected], [email protected], [email protected]


      The email will contain a unique link (valid for 30 days) which the recipient must click on and then follow the instructions displayed in the browser.
       
      For Single Domains:
      If the domain name does not include www (so "example.com"), the Certificate will also include the domain with www (so "www.example.com"), and vice versa.

      The CA will wait for the Applicant to read this email and then proceed to confirm that they control the domain.
       
      It is important to make sure you are able to access the email address provided.


      This method is similar to the previous one, except for the fact that the email is sent to an email account that can be obtained from the WHOIS record.


      This method assumes that at least one email account is included in the output of the WHOIS command. If the email is only visible with other query methods, for example via the registrar's website, then this method requires the manual involvement of a CA operator, which therefore takes longer.
      The email will contain a unique link (valid for 30 days) which the recipient must click on and then follow the instructions displayed in the browser.
       
      For Single Domains:
      If the domain name does not include www (so "example.com"), the Certificate will also include the domain with www (so "www.example.com"), and vice versa.

      The CA will wait for the Applicant to read this email and then proceed to confirm that they control the domain.
       
      It is important to make sure you are able to access the email address provided.

      This method is supported, but not recommended.


      If this method is selected, the CA will send an email to the administrator of the domain to be validated containing a unique string (valid for 30 days).

       
      To prove that they control the domain, the Applicant must create a .txt file (called actalis.txt") containing the text string specified in the email received; this file must then be published on the HTTP server for the domain to be validated (or a higher level domain), at the following URL:
      http(s)://domain/.well-known/pki-validation/actalis.txt
      Important: there must be no spaces or carriage returns in the file.
       
      For Single Domains:
      If the domain name does not include www (so "example.com"), the system will ask whether you intend to request the Certificate for the domain with www (so "www.example.com"), and vice versa:


      If you choose to validate both domains, an email will be sent for each domain chosen: each email will contain the specific string for that particular domain.

      Validation will only be complete once each file is published at its respective address.

      If the Applicant cannot technically publish 2 different files on the 2 different paths, website-change validation is not possible: a different validation method must therefore be chosen.

      To create the actalis.txt text file actalis.txt, we recommend using a simple text editor (e.g. Notepad or similar).
       
      Remember:
      • the "actalis.txt" file must only be published at the path indicated above (this is a standard one);
      • the period "." before "well" is not a mistake: it is essential;
      • HTTP redirects will not be followed.

      The CA will automatically check for the presence of the "actalis.txt" file on the server at the specified path, and will also check its content.


      To prove that they control the domain, the Applicant must enter a TXT record on the DNS control panel for the domain to be validated (or a higher level domain).

      The TXT record must have the following value:
      "actalis-dcv=confirmationValue"
      where confirmationValue is a unique confirmation value generated by the CA: this value is sent by email to the Applicant's Technical Contact by the Actalis Customer Support team (if the request is submitted by email) or displayed to the Applicant (if the request is submitted via the website) and is valid for 30 days.

      To make sure the TXT record has been published correctly, you can use the "nslookup" (in a Windows environment) or "dig" (in a Linux environment) command.
       
      For Single Domains:
      If the domain name does not include www (so "example.com"), the Certificate will also include the domain with www (so "www.example.com"), and vice versa.

      The CA will automatically check for the presence of the TXT record on the domain.


      This method can only be used for domains registered and managed by Aruba.

       
      For Single Domains:
      If the domain name does not include www (so "example.com"), the Certificate will also include the domain with www (so "www.example.com"), and vice versa.

      In this case, the Applicant does not need to do anything to prove that they control the domain in question: the CA itself will consult the database of domains managed by Aruba S.p.A. to carry out the check.
      In this case, validation may take several hours.
Once you have entered the details requested, click on Submit: you will be sent an email with the instructions you need to follow to validate the domain depending on which option you have chosen.
 
When managing an EV SSL Certificate, it is important that you:
  1. download the "Service agreement" form by clicking on Download PDF;
  2. sign this document digitally;
  3. send it as an attachment to the email address [email protected]

Validation is one of the steps required to get the SSL certificate, but not the only one: in fact, it is important that you follow all the instructions provided in the guide.
 
Important:
  • Domains must be validated within 30 calendar days, after which it is assumed that validation has failed.
  • Once validation has been successfully completed, the domain will be valid for 12 months; during this time, the Applicant can get one or more certificates containing this domain without further validation; after 12 months from the last validation process, you will need to complete the validation process again if you want any other certificates containing this domain.