Two domain validation policy changes are expected to take effect before the end of 2021 that may affect how you validate your domains for certificate requests. These policy changes apply to all new certificate requests, renewals, reissues and pre-validated domains. These changes won’t affect TLS/SSL certificates already issued.
No immediate action is required. However, prepare to:
Additionally, to help you minimize certificate lifecycle disruption and maintain your business processes, we are working on future notifications, enhancements and training materials.
In the meantime, review the current Domain Control Validation (DCV) Methods to see what other domain validation options you have.
Mozilla and the CA/B Forum are reducing the domain validation reuse period to 398 days. DigiCert will implement a 397 day reuse period to ensure absolute compliance.
This will require customers who manage pre-validated domains to revalidate their domains roughly every 13 months.
DigiCert will implement the changes between September 27 and 30, 2021
Additional details:
The CA/B Forum recently voted on a ballot regarding file-based domain validation, also known as file auth, http token, http auth, or CA/B Forum Baseline Requirements methods 18 (3.2.2.4.18) and 19 (3.2.2.4.19).
The change will affect (beginning November 16, 2021), the use of the file-based DCV method in the following ways:
Note: Email and DNS-based DCV methods are not affected.
FQDN/SAN in certificate | Location of domain validation file | Allowed for certificate issued on or before November 15, 2021? | Allowed for certificate issued after Nov. 16, 2021? |
example.com | example.com | Yes | Yes |
sub.example.com | sub.example.com | Yes | Yes |
sub.example.com | example.com | Yes | No |
*.example.com | example.com | Yes | No |
www.example.com | example.com | Yes | No |
www.sub.example.com | sub.example.com | Yes | No |
Currently, for many of the DCV methods, the CA/B Forum Baseline Requirements consider an FQDN (e.g. subdomain2.subdomain.example.com) or wildcard domain (e.g. *.subdomain.example.com) to be validated once its base domain (e.g. example.com) or other superior domain name (e.g. subdomain.example.com) is validated.
However, the policy change will require separate validation for each FQDN/SAN when file-based validation is used, and file-based validation will be disallowed entirely for wildcard certificates since wildcard domain names are not considered FQDNs.
Note that this change does not apply to Email and DNS-based validation, which can still be used for wildcard certificates and can be performed at the base domain level or other shared superior domain to validate subdomains and wildcard domains.
The policy change is expected to take effect on November 16, 2021.
NOTE: This article previously stated that changes would go into effect on November 15, 2021. In order to ensure a smooth roll-out and additional code review, the changes were pushed by 24 hours.