FAQ: Domain Control Validation (DCV) using file-based validation policy change

Domain Control Validation – Change of process

What is Domain Control Validation?
Domain Control Validation, or DCV, is used by the Certificate Authority before issuing an SSL/TLS certificate to verify the person making the request is in fact authorized to use the domain related to that request.

What is file-based domain validation?
File-based validation is one available method for DCV. It requires the certificate requester to upload a file containing a unique identifier to the domain where it can be queried by the CA. Providing this identifier on the requested domain demonstrates that the certificate requester has control over this domain.

Why is the process changing?
The CA Browser (CA/B) Forum, an affiliation of industry members that manages certificate rules and procedures, has determined that file-based validation, used too broadly, creates the risk that actors could obtain certificates for sub-domains they don’t legitimately control. Therefore, the CA/Browser Forum has passed a ballot disallowing file-based DCV for wildcard certificates and will require that each FQDN in a multidomain certificate be verified individually.

What kinds of certificates does this apply to?
The new rules apply to all public wildcard and multi-domain SSL certificates, be they DV, OV, or EV.

When does this take effect?
The CA/Browser Forum has set a deadline for implementation of December 1, 2021.

When will Sectigo implement this change?
Sectigo will implement this policy change on the revised date of the beginning of November 22nd 2021.

Due to a number of requests from Sectigo customers asking for additional time to support the CA Browser Forum’s new file-based DCV process requirements, Sectigo has revised its implementation date to November 22nd 2021. This will help prevent Sectigo customers from experiencing unnecessary delays in procuring new certificates. This update will still be in advance of the December 1st 2021 CA Browser Forum requirement.

Please visit sectigo.com/DCVChange to find out more.

Should I renew all my certificates now to avoid this new process?
There is no reason to pre-emptively renew certificates. If you are using wildcard or multidomain certificates and have used file-based validation in the past, you may need to use a different technique such as DNS CNAME record.

Are my existing certificates impacted?
Active certificates issued prior to the deadline are not impacted in any way, regardless of the DCV method used.

What about domains normally included for free?
In some situations, Sectigo provides a free additional domain in conjunction with a certificate for a single domain. For example. If the user requests webmail.domain.com, they may also get a certificate for www.domain.com. The change to DCV will now require both domains to be validated independently.

Additional Information:
Alternative Methods of Domain Control Validation Detailed Overview (DCV)
Domain Control Validation (DCV) using file-based validation policy change