Important Changes to Domain Ownership Validation for all Certification Authorities

Beginning August 1, 2018, all Certification Authorities (CAs) will be required to modify domain ownership validation methods in order to comply with Ballot 218 and baseline requirements of the CA/Browser Forum (CA/B Forum).

CAs will no longer be permitted to use validation methods 1 and 5:
  • Method 1 was based on comparing the contact details of the applicant and the domain owner (with WHOIS lookups, for example)
  • Method 5 allowed legal opinion letters to be used to determine ownership of domain names.

(See more details in sections 3.2.2.4.1 and 3.2.2.4.5 of the CA/B Forum Baseline Requirements).

CA/B Forum Logo

Which certificates will be affected?
  • DV, OV and EV certificates issued on or after August 1, 2018 will need to comply with the new validation method requirements.
  • Any certificates for which your domains were validated using the “manual method” within your mPKI (Symantec, DigiCert, Comodo and Entrust)

Which certificates will not be affected?
  • Existing DV, OV and EV certificates (issued before August 1, 2018) will not be affected unless they need to be re-issued.

Why are these changes being made?

The CA/B Forum has decided that validation methods 1 and 5 do not sufficiently meet the objectives of validating the ownership or control of a domain prior to issuing an SSL certificate.

"Purpose of Ballot 218: Section 3.2.2.4 says that it “defines the permitted processes and procedures for validating the Applicant’s ownership or control of the domain.” Most of the validation methods actually do validate ownership and control, but two do not, and can be completed solely based on an applicant’s own assertions.

Since these two validation methods do not meet the objectives of section 3.2.2.4, and are actively being used to avoid validating domain control or ownership, they should be removed, and the other methods that do validate domain control or ownership should be used.”


CA/Browser Forum

Which validation methods will be accepted from August 2018?
  • Approval Email Authentication: An email will be to multiple email address aliases associated to the domain (ex. admin@, administrator@, hostmaster@, webmaster@, postmaster@) to validate that you are authorised to issue certificates for that domain.

  • DNS Record (TXT or CNAME record): The CA will send you a specific value that you must post to your domain DNS record. The CA will then scan for this value to validate the domain.

  • HTTP/Web Server Authentication: The CA will send you specific code for an HTML page that must be located in a particular directory (/.well-known/pki-validation) of your website. The CA will then scan for this code to validate the domain.


Learn more about the SSL247® vetting process for each validation type:



The SSL247® Team are in contact with our CA partners regarding these changes and will always ensure that you are provided with the correct information regarding your orders and domain validation processes.


For more information, contact us at the details below:

+1 855 207 2255
sales@ssl247.com

Share this:

Posted on Thursday 26 July 2018 by Julien Goraguer

Return to blog

Send us your comments


Your comment will not be published. If you have a question, do not forget to write your email address so that we can get back to you!