The CA/B Forum voted to clarify the rules for encoding domain names and IP addresses to eliminate inaccuracies. Ballot SC48v2 was adopted July 22, 2021 providing clarification on the usage of Underscore and Wildcard Characters in the FQDN to be validated. The ballot came in to effect on October 1st, 2021.
Major changes related to Ballot SC48v2:
The entry MUST contain either a FQDN or Wildcard Domain Name that the CA has validated in accordance with CA/B Forum Baseline Requirements section 18.104.22.168. FQDNs and the FQDN portion of Wildcard DNs must comply with RFC 5280 section 22.214.171.124 with the following exception:
CAs can only include Domain Labels which have hyphens as the third and fourth characters if the first character is “x” or “X”, the second character is “n” or “N”, and the fifth and later characters are a valid Punycode string.
Additionally, all Wildcard DNs will be validated only if they are consistent with CA/B Forum Baseline Requirements section 126.96.36.199.
Domains that do not fit within these requirements will not be able to receive public-trust SSL certificates.
Sites or systems using these domains that require SSL certificates will require migration to new, compliant domains before certificate issuance can occur. There is no workaround to use existing non-compliant domains.
*What is Punycode?
Punycode is a representation of Unicode with the limited ASCII character subset used for Internet hostnames. Using Punycode, host names containing Unicode characters are transcoded to a subset of ASCII consisting of letters, digits, and hyphens, which is called the Letter-Digit-Hyphen (LDH) subset