The CA/B Forum voted to clarify the rules for encoding domain names and IP addresses to eliminate inaccuracies. Ballot SC48v2 was adopted July 22, 2021 providing clarification on the usage of Underscore and Wildcard Characters in the FQDN to be validated. The ballot came in to effect on October 1st, 2021.

Major changes related to Ballot SC48v2:

• Avoiding U-labels in Common Name (CN) [U-label is the Unicode representation of an internationalized domain name]
• All XN labels must contain valid Punycode*
• Rejection of reserved LDH* labels that are not XN labels

The entry MUST contain either a FQDN or Wildcard Domain Name that the CA has validated in accordance with CA/B Forum Baseline Requirements section 3.2.2.4. FQDNs and the FQDN portion of Wildcard DNs must comply with RFC 5280 section 4.2.1.6 with the following exception:

• underscore characters (“_”) are allowed in Domain Labels such that replacing all underscore characters with hyphen characters (“-“) would result in a valid Domain Label.

CAs can only include Domain Labels which have hyphens as the third and fourth characters if the first character is “x” or “X”, the second character is “n” or “N”, and the fifth and later characters are a valid Punycode string.

Additionally, all Wildcard DNs will be validated only if they are consistent with CA/B Forum Baseline Requirements section 3.2.2.6.

Domains that do not fit within these requirements will not be able to receive public-trust SSL certificates.
Sites or systems using these domains that require SSL certificates will require migration to new, compliant domains before certificate issuance can occur. There is no workaround to use existing non-compliant domains.

*What is Punycode?
Punycode is a representation of Unicode with the limited ASCII character subset used for Internet hostnames. Using Punycode, host names containing Unicode characters are transcoded to a subset of ASCII consisting of letters, digits, and hyphens, which is called the Letter-Digit-Hyphen (LDH) subset