Validation Methods

To issue a certificate, Clarivate must prove ownership of the domain. Two methods are supported:

1. HTTP Validation (Default)

This is the standard automated method for most environments.

• Mechanism: The ACME client places a temporary validation token at: http://<YOUR_DOMAIN>/.well-known/acme-challenge/<TOKEN>
• Requirement: Your domain’s CNAME or A-record must already point to Clarivate infrastructure.
• Customer Action: None. Clarivate handles the token placement and renewal automatically.

2. DNS Validation

DNS validation is required for specific architectural configurations where HTTP validation is not feasible.

• Mandatory for Wildcard Certificates: If you require a certificate for *.example.com, DNS validation is the only supported method.
• Technical Configuration: You must configure a CNAME record in your DNS zone to delegate validation to Clarivate:
  • Record Name: _acme-challenge.example.com
  • Target: _acme-challenge.example.com.exlibrisgroup.com.

Advanced Configuration: External Account Binding (EAB)

For institutions with specific regulatory or corporate requirements, Clarivate supports ACME automation via External Account Binding (EAB). This allows our systems to authenticate against your institution’s own Certificate Authority (CA) account.

Use Cases

• Policy Compliance: Mandatory use of a specific internal or corporate CA (e.g., DigiCert, Sectigo, Entrust).
• Organization Validated (OV) Certificates: Where standard Domain Validation (DV) does not meet institutional security tiers.
• FedRAMP Requirements: Adherence to specific certificate management and encryption standards for authorized environments.

Implementation Requirements

To enable EAB, provide the following credentials to Clarivate Support via a Salesforce case:

1. ACME Directory URL: The specific API endpoint provided by your CA.
2. EAB KID (Key Identifier): Provided by your CA.
3. HMAC Key: Provided by your CA.

Clarivate supports any publicly certified CA compliant with the ACME (RFC 8555) standard.

Enrollment and Ongoing Management

The rollout that began in 2025 is now the primary management state for all custom domains.

• Active Enrollment: Enrollment is handled automatically by Clarivate. Clarivate will monitor all certificate statuses and will proactively reach out to customers if an exception occurs or if manual intervention (such as a DNS update) is required.
• China Region: Due to local hardware regulations, this automated process remains unavailable for domains hosted in the China region.
• Notifications: Manual 30/60-day expiry reminders have been replaced by background automation.

General Questions and Support Requests

Frequently Asked Questions (FAQ)

Q: Will there be downtime during renewal?

A: No. The ACME protocol ensures the new certificate is validated and installed before the old one expires. The transition is seamless.

Q: How can I verify if my certificate has been automated?

A: Inspect the certificate details via your browser. If the "Issuer" is Let’s Encrypt (or your institutional CA via EAB), the domain is successfully managed by the automated system.

Q: What if I need to change my domain (add/remove SANs)?

A: Open a support case via Salesforce. Clarivate engineers will update the ACME client configuration to include the new domains in the next renewal cycle.