The upcoming changes to HTTP domain control validation

There will be a change in the requirements for SSL certificates seeking validation using the HTTP domain control validation (DCV) method in the coming weeks. This change is in keeping with new rules set out by the CA/Browser Forum, which has determined that in some instances, HTTP validation may allow threat actors to obtain SSL certificates for domains they don’t actually own.

If you already have an issued SSL certificate, this change won’t affect you. However, if you’re planning to purchase, reissue, reactivate, or renew an SSL certificate and validate via HTTP DCV in the near future, read on to find out more about these changes and how they may impact you.

To learn more about DCV and HTTP DCV, click here to skip to the FAQ section

What exactly is changing?

The main changes are:

Email and DNS validation will not be affected, so you’ll still be able to validate your site by receiving an email or placing a CNAME record in your site’s DNS settings, whatever your SSL certificate type.

When will the changes take place?

We will remove the HTTP DCV option for Wildcard SSL certificates on SSLs.com on October 21, 2021. From November 15, 2021, Single-domain & Multi-domain certificates will require validation for each individual SAN on the certificate.

How will this affect me?

As we said earlier, if you already have your issued SSL, you don’t need to do anything. 

If you have yet to activate your SSL or have one pending HTTP DCV, here are the new requirements based on SSL type:

Wildcard SSLs

If you have a Wildcard SSL pending domain validation using the HTTP method, you can complete DCV via this method until November 15, 2021. If you don’t complete HTTP DCV before November 15, you’ll need to change the DCV method to Email or DNS to have the SSL issued. You can change your DCV method by using the SSL Order Status Checker tool.

Single-domain SSLs

If you have a single-domain certificate that’s pending HTTP DCV after November 15, you’ll need to upload the validation file to both the main domain and the www subdomain.

If we take blog.example.com as an example, before November 15, you’ll only need to place the validation file for an activated single-domain SSL in: http://blog.example.com/.well-known/pki-validation/file.txt.

However, after November 15, the file must be available at both: http://blog.example.com/.well-known/pki-validation/file.txt and http://www.blog.example.com/.well-known/pki-validation/file.txt.

Multi-domain SSLs

If you have multi-domain validation certificates pending HTTP DCV after November 15, you’ll need to validate each SAN individually.

For example, if you activate a multi-domain SSL for example.com, www.example.com, and example.net, then the file will need to be made available at the following URLs:

  • http://example.com/.well-known/pki-validation/file.txt
  • http://www.example.com/.well-known/pki-validation/file.txt
  • http://example.net/.well-known/pki-validation/file.txt

Before, the files only needed to be available at: http://example.com/.well-known/pki-validation/file.txt and http://example.net/.well-known/pki-validation/file.txt.

How SSLs.com will help users pass DCV following the new requirements

For Wildcard SSLs, we will remove the HTTP DCV option on October 21.

To give users more options, we will also add DNS validation to the available DCV methods at the SSL activation stage for single-domain and wildcard certificates. This will allow users to validate domain names by adding a CNAME record to their domain’s DNS zone. 

As always, our support team is available 24/7/365 to help you get your SSLs validated.

FAQ

What is DCV?

DCV or Domain Control Validation is a process used by Certificate Authorities to prove that the person requesting an SSL for a specific domain has control over that domain.

What is HTTP (file-based) DCV?

HTTP DCV is a DCV method that requires the requestor to upload a validation file to their domain’s hosting server so that the Certificate Authority can check it and verify domain ownership.

Why are these changes happening?

The CA/Browser Forum, the organization that manages SSL certificate rules and procedures, has determined that HTTP validation comes with the risk of threat actors obtaining certificates for subdomains they don’t legitimately control.

Will these changes apply to reissue and renewals?

Yes, these changes will apply to all new, reissued, reactivated, and renewal SSL certificates validated using the HTTP DCV method.

Share on Twitter, Facebook, Google+