Comodo changes domain validation
29 June 2017
The CA/Browser Forum has specified new rules for domain validation, which will affect the way domain control is checked before issuing certificates. Comodo announced the implementation of these rules at short notice - they will be implemented by July 20th 2017. The adjustments will primarly affect the alternative validation methods CNAME and file validation. These adjusted CA/B Guideliness will be implemented by all CA's.
What is Domain Control Validation (DCV)?
- DCV is a method to verify ownership of a domain before a certificate can be issued, Comodo has 3 mechanisms for DCV:Email - to an administrative contact.
- HTTP(S) - looking for a text file with specific content at a specified location.
- DNS CNAME - looking for a CNAME record with a specific location.
These three methods will still be available after the 20th of July, however, some of the technical details such as the location and contents of the file or the form of the DNS record will be changing.
What will change?
- Email validation will stay the same, but will only be valid for upto 30 days.
- For HTTP(S) validation, there will be many changes to the file content and file location. Instead of looking at the root of the FQDN, a specific path will be used, and the current SHA-1 hash value is replaced by a SHA-256 hash value.
- According to the new rules the hash value needs to be unique, so it can only be used once. When reusing the same CSR, adding an extra value will be necessary to create a unique hash value.
What does this mean for me?
- Until July 20 both the old (SHA1 and MD5) and the new method (SHA-2 and MD5) can be used, after July 20 only the new method is allowed.
- If you order through our website via the Control Panel, you will be provided with new details values to perform the DCV.
- If you use the API, or in case you've automated the HTTP(S) or DNS part of the process, you might need to make some changes if you calculate the hash values by yourself. For orders placed through our API, the right data will be given back based on the selected DCV method.
- When a unique CSR is used for a certificate renewal or reissue, using the SHA-2 / MD5 hash is sufficient.
- In some cases it can be smart to reuse the same CSR for a renewal or reissue. In this case there's no need to revalidate the current domains when reissuing a certificate. For these requests you'll have to create a unique hash value by adding a 'Unique Value'. Xolphin produces these values, you can also pass them through the REST API.