DigiCert KnowledgeBase - Technical Support-hero

Knowledge Base

Domain validation policy changes in 2021

Solution ID : AL290421223713
Last Modified : 10/21/2023

Description

Two domain validation policy changes are expected to take effect before the end of 2021 that may affect how you validate your domains for certificate requests. These policy changes apply to all new certificate requests, renewals, reissues and pre-validated domains. These changes won’t affect TLS/SSL certificates already issued.

  • Domain revalidation will be required every 397 days.
    DigiCert will implement the changes between September 27 and 30, 2021.
  • File-based domain validation, also known as file auth, http token, or http auth, will be disallowed for wildcard certificates, and when used for non-wildcard certificates, domain validation will be required for every individual SAN/fully qualified domain name (FQDN).
    DigiCert will implement the changes on November 16, 2021.
  • These policy changes affect all public TLS/SSL certificates.

Solution

No immediate action is required. However, prepare to:

  • Perform domain validation more frequently.
    Domain validation will expire every 397 days and disrupt certificate requests, renewals, and reissues if the domains are not revalidated.
  • Review your pre-validated domains before September 27, 2021.
    Existing domain validation expiration dates will be adjusted between September 27 and 30, 2021. We will notify you as the date approaches with an action plan. 
  • Change your domain validation method for wildcard certificates/domains if you use file-based validation. We recommend the Email to DNS TXT Contact DCV method for those who prefer a static value and e-mail based domain validation. 
  • Make process and/or system changes to validate every SAN/FQDN individually (including the “free www.” SAN included in some certificates) if you want to continue using file-based validation for non-wildcard certificates. Alternately, change to DNS or Email validation methods to validate base domains (example.com) or an entire domain space.

Additionally, to help you minimize certificate lifecycle disruption and maintain your business processes, we are working on future notifications, enhancements and training materials.
In the meantime, review the current Domain Control Validation (DCV) Methods to see what other domain validation options you have.

397-day domain validation reuse changes

Mozilla and the CA/B Forum are reducing the domain validation reuse period to 398 days. DigiCert will implement a 397 day reuse period to ensure absolute compliance.

This will require customers who manage pre-validated domains to revalidate their domains roughly every 13 months.

DigiCert will implement the changes between September 27 and 30, 2021
 

Additional details:

  • CA/B Forum Ballot SC42: 398-day Re-use Period
  • Mozilla Root Store Policy 2.7.1 incudes Mozilla’s updated domain validation reuse policy. See section 2.1, item 5.1.
  • EV domain validation is mostly unaffected because domains on EV certificates already require revalidation every 13 months. The reuse period changes from 13 months to 397 days, which is just over 13 months.
  • Organization name validation is not affected and remains valid for 825 days for OV certificates and 13 months for EV certificates.

Domain control validation (DCV) using file-based validation changes

The CA/B Forum recently voted on a ballot regarding file-based domain validation, also known as file auth, http token, http auth, or CA/B Forum Baseline Requirements methods 18 (3.2.2.4.18) and 19 (3.2.2.4.19).

The change will affect (beginning November 16, 2021), the use of the file-based DCV method in the following ways: 

  • Disallow this method for validation of domains in wildcard certificates.
  • Require domain validation for every FQDN/SAN individually when this method is used for validation of domains in non-wildcard certificates.
Note: Email and DNS-based DCV methods are not affected.

Illustration of upcoming changes to file-based validation

FQDN/SAN in certificate

Location of domain validation file

Allowed for certificate issued on or before November 15, 2021?

Allowed for certificate issued after Nov. 16, 2021?

example.com

example.com

Yes

Yes

sub.example.com

sub.example.com

Yes

Yes

sub.example.com

example.com

Yes

No

*.example.com

example.com

Yes

No

www.example.com

example.com

Yes

No

www.sub.example.com

sub.example.com

Yes

No

Currently, for many of the DCV methods, the CA/B Forum Baseline Requirements consider an FQDN (e.g. subdomain2.subdomain.example.com) or wildcard domain (e.g. *.subdomain.example.com) to be validated once its base domain (e.g. example.com) or other superior domain name (e.g. subdomain.example.com) is validated.

 

However, the policy change will require separate validation for each FQDN/SAN when file-based validation is used, and file-based validation will be disallowed entirely for wildcard certificates since wildcard domain names are not considered FQDNs.

Note that this change does not apply to Email and DNS-based validation, which can still be used for wildcard certificates and can be performed at the base domain level or other shared superior domain to validate subdomains and wildcard domains.

The policy change is expected to take effect on November 16, 2021.


NOTE: This article previously stated that changes would go into effect on November 15, 2021. In order to ensure a smooth roll-out and additional code review, the changes were pushed by 24 hours.