Calculate CSR Hash

To use CNAME or FILE validation options on Comodo orders, you will need to get the MD5 and SHA256 hashes of the CSR that was used. For orders places via our API, the correct values are returned based on the chosen DCV method. Using the code below, you will be able to get these in your own system, and get all required records in place, before you place the order. Per 20 july 2017, the sha256 hashes are required.

Read more details about Domain Control Validation for Comodo products in this article.

Create binary form of CSR

To calculate the hashes, the CSR needs to be in binary form, not Base64 as used during ordering. To do this, the following function can be used:

 function getBinaryCSR($csr)
   $data = base64_decode(
               '-----BEGIN CERTIFICATE REQUEST-----',
               '-----END CERTIFICATE REQUEST-----',
               '-----BEGIN NEW CERTIFICATE REQUEST-----',
               '-----END NEW CERTIFICATE REQUEST-----'
            ], '', $csr));
   return $data;

Create hashes

To generate the complete hashes, the following methods can be used:

 $CSR = getBinaryCSR($CSR);
 $MD5 = hash('md5', $CSR);
 $SHA256 = hash('sha256',$CSR);
 $MD5_Formatted = strtoupper($MD5);
 $SHA256_Formatted = substr_replace($SHA256, '.', 32, 0);

Create CNAME DNS record

For CNAME validation you can then use the following template for the DNS record:

 _<$MD5 hash>.<FQDN> CNAME <$SHA256_Formatted hash>

example: CNAME

Create File validation content

For validation by a file on a HTTP or HTTPS webserver, the following file should be created. Be aware that the MD5 hash needs to be in uppercase, we're using the MD5_Formatted hash variable here.

 http://<FQDN>/.well-known/pki-validation/<$MD5_Formatted hash>.txt

With the following content:

 <$SHA256 hash>

example: contents:

point up