I'm kind of confused as to why people say you don't need control of a domain in order to get a cert for said domain.
For example, if I tried to request test.microsoft.com from my own web server, unless there is an A record in Microsoft's authoritative DNS server pointing test.microsoft.com to my web server's IP, I'm not going to get anywhere. So how do I not need control over someone's domain to request a cert for their domain?
If the above isn't the case then could someone please clarify how the HTTP01 challenge stops anyone in any way from requesting a cert for any domain they like?
Who is saying this? Who's "people"? Because for a publicly trusted certificate you obviously require some controle over the domain name, either using the IP address or the DNS.
For self signed certificates (not publicly trusted) this is another matter of course.
Ok good, I'm not mental! For example the below chain has quite a few people saying things similar to "you only need control of the web server not the domain". Guessing this is just a miscommunication because you would need access to both
"HTTP Control" over a single FQDN [like test.microsoft.com] doesn't prove domain ownership.
It simply means that you control the IP that is currently responsible for that FQDN.
Think of large hosting providers for a moment.
They can serve thousands of FQDNs from a single IP.
How can they do that securely? [HTTPS]
How can that one IP have control over all those domains? [they don't - they only control the IP]
So... in short:
"ownership" and "control" are not the same thing.
Technically, nothing stops anyone from making such request(s).
Procedures, however, stop them from being approved and obtaining certs for such [uncontrolled] requests. HTTP-01 authentication is proof enough for [delegated] control of an FQDN.
You don't need to control the domain.
You merely need them to point [one of] their name(s) to an IP you control.
The communication seems clear.
The understanding of it seems twisted:
Domain ownership is not directly required.
Proof of control is directly required.
[again: "Ownership" and "Control" are not one and the same]
Take DDNS services.
They usually provide a variety of free domains to choose from.
Millions of people get certs from those domains.
Millions of people don't own any of those domains.
They only control the FQDN(s) that points to their IP.
And thus, are allowed to obtain a cert for said FQDN(s).
Maybe "domain" or "sub-domain" are also being misconstrued.
You have the key to the door that controls access to your dwelling [where you "live"/sleep].
Does that imply that you own it? [no]
It only implies that the owner [maybe you - maybe not you] has allowed you to use it.
With that [key] control, you can do many things there - even if you don't actually own it:
Well, you need some control over the domains DNS zone in order to add the correct IP address in an A or AAAA RR. Without the correct A/AAAA RR, the http-01 or tls-alpn-01 challenge won't work either.
That said, if someone else manages the domain name and would be willing to point an A/AAAA RR to your server, then yes, you can issue certs without having actual control over the DNS zone.. But that's simply allowed, this "indirect proof" of domain control. It would be some kind of delegated proof of control I guess.
I think this has cleared it all up. The main misunderstanding was just that there’s a fine line between access and ownership in this instance and any prior examples I’d found said that domain ownership is not required but omitted the fact that domain access to be able to create an A record is required which is what I had assumed.