Verification of certificates based on an confirmation of email account ownership is the most common certificate validation mechanism used by certification authorities in case of ordering DV certificates. The purpose of validation is to ensure the authenticity of the certificate order before the release of the new certificate. Certification Authority before a certificate release must be sure that the domain that is specified in the certificate is registered, and the individual who is a domain administrator endorses request for certificate issuance.
Validation of email account is a mandatory step, carried out by a certification authority on the basis of publicly available information.
How does the validation process work?
Validation via e-mail confirmation consists of the following steps:
When you ordering an certificate, a list of authorized e-mail addresses will be displayed. All of them are determined by the certification authority for the domain associated with the certificate. You will select the appropriate email from the list.
Certificate Authority sends you a verification email that is called DCV-email, with a unique link for the purpose of verification of certificate and validation of ownership of the domain. You would need to follow the link in order to validate and verify the certificate. In this case, validation will be confirmed and the CA generates the certificate.
Requirements for email
The main purpose of the validation process is to ensure that the certificate is requested by someone who has administrative power for the domain. Therefore, an email should be public and precisely associated with the user who is the owner or administrator of the domain specified in the certificate.
Administrative email is usually similar to the one of the following examples:
In this case example.com is the domain for which the certificate is issued.
Alternatively, verification email could be sent to another email-address, but only if it is listed in WHOIS-domain information. This is the only way for the CA to make sure that the email is legit and associated with the domain.
To use the e-mail specified in WHOIS domain, privacy settings needs to be removed.