All commercial Certificate Authorities require Domain Control Validation (DCV) before issuing an SSL certificate. Up until now, you could choose one of three methods to confirm domain ownership. But starting from November 15, you will no longer be able to use the HTTP/HTTPS hashing method for validating Wildcard domains. You’re left with two options:
- Email-based validation
- DNS-Based validation (CNAME Validation)
Before finding why the CAs decided to remove the file-based validation for Wildcard certificates, let’s quickly review each method.
This is the easiest and most popular method to validate your domain name. All you have to do is respond to an email sent by the CA to your address listed on the WHOIS record. Here’s a list of pre-approved emails to prove domain ownership
With this method, you have to create a unique CNAME record in your DNS (domain name system). For instance, if you order an SSL cert from Sectigo, they will ask you to make your CNAME record point back to the Sectigo website.
CAs and browsers are always looking to improve the SSL issuance process and make it bulletproof. After reducing the SSL validity to just one year in a previous change, their latest ballot disallows file-based validation for Wildcard domains and subdomains.
Ballot SC45, which was passed unanimously by the CA/Browser Forum, affects the file-based DCV method in the following ways:
- Starting in November, you won’t be able to perform file-based authentication for wildcard certificates. Instead, you’ll need to use email-based or DNS authentication.
- In non-wildcard certificates, domain validation will be required for every FQDN/SAN individually.
- These policy changes affect all public TLS/SSL certificates.
CA/B Forum ballot SC45 goes into effect on December 1, 2021, but DigiCert and Sectigo, the leading CAs, announced that they are implementing the changes starting November 15.
This means that any Wildcard certificates issued before November 14 will still support the file-based validation method. However, it will no longer be available from November 15 onwards.
Why the file-based DCV method poses security risks
According to CA/B Forum, the file-based domain validation method isn’t sufficient to prove control of the FQDN’s (fully-qualified domain name) entire namespace, including all the domains and subdomains that exist within that namespace.
For example, you may have control over yourdomain.com, but *.yourdomain.com could be hosted on another server where you don’t have access. Theoretically, a phisher or hacker could validate such a domain and use it for cyber-attacks.
If you’ve been using the file-based DCV method to obtain Wildcard certs, you’ll need to switch to one of the other two options, either email-based or CNAME-based validation. HTTP validation will no longer apply to wildcard domains and SAN subdomains such as *.yourdomain.com, or yourdomain.com and blog.yourdomain.com for SANs. In the case of SANs, you’ll have to complete file-based validation from each SAN domain separately.