Beginning August 1, 2018, all Certification Authorities (CAs) will be required to modify domain ownership validation methods in order to comply with Ballot 218 and baseline requirements of the CA/Browser Forum (CA/B Forum).CAs will no longer be permitted to use validation methods 1 and 5:
- Method 1 was based on comparing the contact details of the applicant and the domain owner (with WHOIS lookups, for example)
- Method 5 allowed legal opinion letters to be used to determine ownership of domain names.
(See more details in sections 126.96.36.199.1 and 188.8.131.52.5 of the CA/B Forum Baseline Requirements).
Which certificates will be affected?
- DV, OV and EV certificates issued on or after August 1, 2018 will need to comply with the new validation method requirements.
- Any certificates for which your domains were validated using the “manual method” within your mPKI (Symantec, DigiCert, Comodo and Entrust)
Which certificates will not be affected?
- Existing DV, OV and EV certificates (issued before August 1, 2018) will not be affected unless they need to be re-issued.
Why are these changes being made?
The CA/B Forum has decided that validation methods 1 and 5 do not sufficiently meet the objectives of validating the ownership or control of a domain prior to issuing an SSL certificate.
Since these two validation methods do not meet the objectives of section 184.108.40.206, and are actively being used to avoid validating domain control or ownership, they should be removed, and the other methods that do validate domain control or ownership should be used.”
– CA/Browser Forum
Which validation methods will be accepted from August 2018?
- Approval Email Authentication: An email will be to multiple email address aliases associated to the domain (ex. admin@, administrator@, hostmaster@, webmaster@, postmaster@) to validate that you are authorised to issue certificates for that domain.
- DNS Record (TXT or CNAME record): The CA will send you a specific value that you must post to your domain DNS record. The CA will then scan for this value to validate the domain.
- HTTP/Web Server Authentication: The CA will send you specific code for an HTML page that must be located in a particular directory (/.well-known/pki-validation) of your website. The CA will then scan for this code to validate the domain.
Learn more about the SSL247® vetting process for each validation type:
The SSL247® Team are in contact with our CA partners regarding these changes and will always ensure that you are provided with the correct information regarding your orders and domain validation processes.
For more information, contact us at the details below: