The End of File-Based Validation for Wildcard Certificates
File-based validation for Wildcard SSL certificates is changing.
The process may be a little different the next time you purchase or renew a Wildcard certificate. On November 15, 2021, the certificate authorities that issue SSL certificates will no longer accept file-based Domain Control Validation (DCV). So if you’re used to uploading a file to your server as the way to prove you control that domain, you’ll have to use email-based or DNS-based DCV next time.
You can still use file-based validation for non-wildcard certificates, but there’s a catch.
File-based validation has also changed for multi-domain certificates. Previously, file-based validation for a certificate at the base domain level or superior would validate other subdomains and wildcard domains. This rule is still valid when using email and DNS-based validation methods; however, it’s no longer the case when using file-based validation. You can still use file-based validation for multi-domain certificates; however, you must validate every fully qualified domain name (FQDN) or subject alternative name (SAN) domain individually.
Background on this decision.
This policy change was unanimously voted in earlier this year by CA/B Forum, which is the organization that creates guidelines and standards for the certificate authorities. While the policy officially goes into effect on December 1, 2021, several certificate authorities decided to make the change sooner than required to work out any issues and be fully compliant by the official deadline.
Why did the policy change?
CA/B Forum made this change after determining that file-based validation could potentially allow bad actors to obtain certificates for sub-domains they don’t rightfully own. This policy change will improve security for sub-domains, requiring more substantial proof that someone has control over a domain’s entire namespace when obtaining SSL certificates.
Plan ahead for your next Wildcard SSL certificate renewal.
You’ll start receiving emails to remind you about renewing your existing SSL certificates when they’re 30 days from expiration. It’s okay to go ahead and renew your certificates at this point. You won’t lose the time that remains on your existing certificate. Renewed certificates have 365 days added to the remaining time plus any renewal bonus time given by the certificate authority. If you’ve been using file-based validation and will be using a method that you’re unfamiliar with this time around, we recommend getting started on that sooner than later.
If you have any questions about your current SSL certificates or need help with an installation, don’t hesitate to reach out to our support team!