As a longstanding practice, Sectigo has included a SAN field for the base domain name (e.g. yourdomain.com) for any customer ordering a single-domain certificate for a Full Qualified Domain Name (FQDN) beginning with a www subdomain (www.yourdomain.com, in the above example). This is for our customers’ convenience, reflecting the common practice of providing the same “home page” content on both these domain names.
It has come to our attention that – due to a software error – Sectigo has included base domain names in some single-domain certificates for which Domain Control Validation (DCV) was performed by sending email to the www subdomain for example, [email protected] This verified control of the www subdomain, but not the base domain. Certificates issued this way are in violation of CA/Browser Forum Baseline Requirements (BR) as email validation for a subdomain is insufficient to prove control of the base domain name as well.
As a consequence, these certificates require revocation and replacement with new certificates that no longer contain the base domain in a SAN field. Because these certificates are noncompliant with DCV guidelines, the BR requires 24-hour revocation. Affected Subscribers have been notified.
EV and OV Subscribers seeking to expedite reissuance should be sure to keep all organization information identical to the original certificate. If you wish to use the same certificate to serve content for both a www subdomain and an base domain, contact Sectigo customer service to select a different DCV method that support the use of both these FQDNs.