Domain validation for TLS certificates

  Last updated April 03, 2018

When you purchase one of Fastly's TLS options, our partner Certificate Authority (GlobalSign) must verify you control the domains requested and that you authorize us to request a certificate service on your behalf. You can choose:

Regardless of the verification method you use, be sure to follow our instructions to begin the TLS ordering process.

DNS text record verification

We provide you with a unique DNS TXT record you need to add for the zone origin ("@") for each of your domains. The text of this entry will change depending on the certificate to which each domain is added. The meta tag will be formatted similar to one of the following (where the {META TAG} will change depending on the certificate):

We will provide you with the appropriate text record listed above. Consult the documentation for your registrar or DNS provider for more information about how to add the record. This text record must be wholly separate from other text records. A prepended, inserted, or appended record will not work.

Email verification

GlobalSign will give Fastly a list of acceptable email addresses to which they can send a validation email. Generally these email addresses match those that appear on the WHOIS record of the domain requested, plus the following:

For entries requested for a subdomain, each of those addresses @subdomain.domain.com will also work (e.g., admin@subdomain.domain.com).

We will send you the list of acceptable email address. You will need to tell us which email address to use. GlobalSign will then send a verification email to the email address you specify. Once you receive the verification email, you will need to click on a link in that email and follow the instructions to complete the validation.

URL verification

We provide you with an HTML meta tag you need to add to a specifically named web page served at the requested domain or apex domain you're adding. Use the format http://<REQUESTED APEX OR SUBDOMAIN>/.well-known/pki-validation/gsdv.txt where <REQUESTED APEX OR SUBDOMAIN> is the domain being added to the certificate. The meta tag will be formatted similar to one of the following (where the {META TAG} text will change depending on the certificate):

We will provide you with the appropriate meta tag listed above. This text must be served from the actual requested domain or root domain. For example, if you add the domain www.example.com to the certificate, GlobalSign will specifically query http://www.example.com or http://example.com during the verification process. The verification tag must be served from whatever resource is returned from that URL. GlobalSign will not follow redirects or request a file on that domain, such as http://www.example.com/verify.html or http://www.example.com/index.html.

Assisted TLS domain validation

To provide uninterrupted TLS services to your origin, Fastly automatically revalidates domains using the HTTP based validation method. Validation happens automatically at regular intervals prior to certificate renewal and does not require any action by you. As long as you maintain your DNS pointing to Fastly we will perform assisted TLS validation to avoid any potential interruption to your service.

If you do not want assisted TLS validation enabled, contact support@fastly.com for additional options.

Back to Top