Changes in Domain Control Validation procedure

1 September 2021

Changes to domain validation have been announced, which will take effect before the end of this year. This concerns changes in the file validation. This change is only relevant if you use file validation as the method for Domain Control Validation to request SSL certificates.

What is Domain Control Validation?

Domain Control Validation (DCV) is the process by which a CA gains evidence that a particular domain is managed by the  applicant for a certificate.  One of these options is file-based validation, which requires the domain owner to upload to the domain a file containing a unique identifier given to the certificate applicant by the Certificate Authority (CA). The CA  can then locate and interrogate this file as proof that the requestor has control of this domain. 

What is the reason for this change?

The procedures for the issuance and verification of SSL certificates are continuously monitored by the CA/Browser forum and tightened up if necessary, in order to keep the use of certificates as safe as possible. The  CA/B Forum  recently passed ballot SC45 regarding  the use of file-based domain validation as domain validation method. The CA/Browser Forum has determined that this process is inadequate for validation of wildcard domains or entire domain spaces.  

What will change exactly?

Sectigo will implement this policy change beginning  November 15, 2021. Use of the file-based DCV method will be affected in the following ways: 

• File based DCV will be disallowed  for the  validation of domains in  wildcard  certificates.
• When using file validation for multi-domain certificates, domain  validation will be required for every FQDN/SAN individually.
• When using file validation for single domain certificates, domain  validation will be required for every FQDN/SAN individually.

What is the impact?

Summarized:

• The announced changes will not affect existing certificates issued before November 15, 2021, regardless of the DCV method used at issuance time
• It will affect all new orders, renewals and reissues after November 15, when using file validation as DCV method.
•  Other domain control validation methods are not impacted by this change, so this change does not apply to Email- and DNS-based validation, which still are available for wildcard certificates.
• If you now use file validation for wildcard certificates, you will have to switch to email validation or CNAME validation.
• If you use file validation for single and multi-domain certificates and want to continue using it, you will need to prepare a separate file for each subdomain (SAN), or switch to another DCV method. Another option is switching to another validation method.

More information you can find in our FAQ. Do you have any questions? Feel free to contact us!