Knowledge Base

End of life for using WHOIS-based DCV methods

On November 14, 2024, the CA/Browser Forum adopted Ballot SC-80v3: Sunset the Use of WHOIS to Identify Domain Contacts and Relying DCV Methods. To comply with industry changes mandated by the ballot, certificate authorities (CAs), such as DigiCert, must stop using WHOIS to identify domain contacts for email, fax, SMS, postal mail, and phone domain control validation (DCV) methods. Note that DigiCert only supports the email and phone WHOIS-based DCV methods.

Ballot SC-80v3 has two important dates:

• On January 15, 2025, CAs must stop relying on domain contact information obtained using HTTPS web-based WHOIS lookups. DigiCert refers to this type of lookup as a manual WHOIS lookup. This change affects new WHOIS-based domain validations and existing domain validations within their reuse period.
  See DigiCert’s timeline for changes below.
•  July 15, 2025, CAs must stop relying on WHOIS-based domain validations, including those obtained using the WHOIS protocol, querying IANA’s WHOIS server, and following referrals to the relevant WHOIS server. This change affects new WHOIS-based domain validations and existing domain validations within their reuse period.
  See DigiCert’s timeline for changes below.

This ballot does not affect all email DCV methods. You can still use the Email to DNS TXT contact and Constructed Email DCV methods if email is your preferred DCV method. However, DigiCert recommends using one of the non-email-based DCV methods as the CA/Browser Forum is likely to continue scrutinizing email DCV methods. See DigiCert-supported DCV methods below.

Background WHOIS-based domain validation

Almost every domain has a public record that lists its owner's contact information. Certificate Authorities (CAs), such as DigiCert, use this information to contact the domain owner to obtain permission to issue certificates for said domain. WHOIS-based domain validation is the most common way to validate domains for public certificate issuance; however, it has become unreliable, and industry standards require CAs to use more stringent domain validation methods.

While other methods may require more work and knowledge, such as modifying a DNS record, setting up an admin email address, or placing an HTTP file on your server, these methods provide better security and trust for you and your customers. To learn more about these other methods, see DigiCert-supported DCV methods below.

DigiCert’s timeline for changes

DigiCert's timeline ensures we update our domain control validation process to remove support for the WHOIS-based DCV methods and stop reusing existing WHOIS-based domain validations before the timelines specified in Ballot SC-80v3.

The changes below affect all DigiCert domain validations, including the following certificate types: TLS, Verified Mark and Common Mark, Secure Email (S/MIME), DirectAssured, and DirectTrust.

January 8, 2025: End of life for HTTPS web-based WHOIS lookups and reuse of web-based WHOIS domain validations

On January 8, 2025, DigiCert will stop:

• Using HTTPS web-based WHOIS lookups
  Starting January 8, 2025, DigiCert will stop using HTTPS web-based WHOIS lookups to obtain domain contact information for domain control validation.
  
  Background
  For the WHOIS-based DCV methods, DigiCert uses the WHOIS protocol and queries IANA’s WHOIS server, following the referrals to the relevant WHOIS server to obtain domain contact information. Sometimes, the query fails to return any results, for example, due to WHOIS lookup rate limits. When this happens, a DigiCert agent may perform an HTTPS web-based WHOIS lookup to find domain contact information so that the domain validation can proceed.
  Starting January 8, 2025, DigiCert validation agents can no longer perform manual HTTPS web-based WHOIS lookups when the WHOIS protocol fails to retrieve a domain’s contact information, causing WHOIS-based DCV methods to become less reliable. 
  
  
• Reusing existing domain validations where DigiCert used an HTTPS web-based lookup to obtain a domain’s contact information
  On January 8, 2025, DigiCert will stop reusing any existing domain validations where we used an HTTPS web-based lookup to collect domain contact information, regardless of whether the previously obtained information is within the allowed 397-day reuse period.

   

How does this affect me?

If you are using the WHOIS-based Email or Phone DCV methods to validate your domains, you may be affected by this change. If DigiCert’s automated WHOIS lookup has ever failed to retrieve your desired email address, you are probably impacted. Plan to use a different validation method or email address source during your next certificate request. If you rely on instant issuance of your certificates, please revalidate your domains in advance.

DigiCert recommends moving to a different DCV method or email address source as soon as possible. See DigiCert-supported DCV methods and domain validation processes below.

May 8, 2025: End of life for new WHOIS-based domain validations, regardless of WHOIS lookup method

On May 8, 2025, DigiCert will no longer support WHOIS-based DCV email and phone methods. DigiCert systems will stop querying WHOIS entirely for domain validations.

How does this affect me?

If using WHOIS-based Email or Phone DCV methods, you must start using a different DCV method or set up a DNS TXT Email Contact or a Constructed Email address if you want to continue to use DCV email. See DigiCert-supported DCV methods and domain validation processes below.

July 8, 2025: End of life for reusing existing WHOIS-based domain validations

On July 8, 2025, DigiCert will stop reusing existing WHOIS-based domain validations, regardless of whether previously obtained information is within the allowed 397-day reuse period and regardless of the WHOIS method.

How does this affect me?

If using WHOIS-based Email or Phone DCV methods, you must start using a different DCV method or set up a DNS TXT Email Contact or a Constructed Email address if you want to continue to use DCV email. If you rely on instant issuance of your certificates, please revalidate your domains in advance. See DigiCert-supported DCV methods and domain validation processes below.

DigiCert-supported DCV methods and domain validation processes

DigiCert-supported domain validation process

• Demonstrate control over domains on certificate orders
  When ordering a certificate, you select a DCV method to demonstrate control over the domains on the order. On the certificate's Order details page, use the DCV method selected during the order process to complete the domain validation. You can always switch validation methods if needed.
• ·Complete domain validation before ordering a certificate
  DigiCert features a domain prevalidation process that allows you to validate your domains before ordering certificates. Completing the domain validation ahead of time allows for quicker certificate issuance.

DigiCert-supported DCV Methods

• DNS TXT Record (DNS Change)
  Go to your DNS provider and create a TXT record. Add a DigiCert-generated random value to the domain's TXT record.
  Note: DigiCert recommends using this DCV method as this method is less vulnerable to future industry changes.
  
  
• Email
  • Email to DNS TXT contact
    For the email to DNS TXT contact DCV method, DigiCert sends an authorization email to the email addresses found in the DNS TXT record on the _validation-contactemail subdomain of the domain you are demonstrating control over.
  • Constructed Email
    For the Constructed Email DCV method, DigiCert sends the authorization email to five constructed email addresses for the domain: admin, administrator, webmaster, hostmaster, and postmaster @[domain_name]
• DNS CNAME Record
  Go to your DNS provider and create a CNAME record. In the hostname field, enter _dnsauth. Then, add [random_value].dcv.digicert.com in the target host field to point the CNAME record to dcv.digicert.com.
  
  
• HTTP Practical Demonstration
  Host a file containing a DigiCert-generated random value at a predetermined location on your website: http://{domain-name}/.well-known/pki-validation/fileauth.txt

.References

• Supported DCV methods for domain prevalidation
  • Domain prevalidation: Bulk domain revalidation
• Supported DCV methods for validating the domains on certificate orders

Need help?

If you have questions or concerns about this ballot prohibiting the use of WHOIS for identifying domain contacts, please contact your account manager or DigiCert Support immediately - Contact DigiCert.