Some upcoming changes to how SSL certificates are validated

Written by Ann  »  Updated on: July 07th, 2024

Some upcoming changes to how SSL certificates are validated

You should be aware of specific planned changes to the way that SSL certificates are validated and what that might mean for you if you are considering acquiring an SSL in the near future or already have an SSL that you still need to activate. Additionally, you should be aware of these changes if you already have an SSL but still need to activate it. In the next several weeks, the HTTP domain control validation (DCV) feature will operate differently across the board for all sorts of SSL certificates. If you already have an SSL that has been issued to you, then this won't have any effect on you.

In this article, we will explain what the changes are, why they are being implemented, and how they will impact you personally.


What Does DCV Mean?

In the event that you need to become more familiar with the term, let me first explain what DCV stands for. Domain Control Validation, also known as DCV, is a process that Certificate Authorities (CAs) employ to verify that you are the legal owner of the domain(s) you want to secure with an SSL certificate or that you have control over those domains. Its acronym is also known as DCV. Before they issue SSL certificates, all CAs demand that this verification stage be completed.

Email validation, domain name system validation, and hypertext transfer protocol validation are the three distinct approaches that can be utilized to carry out DCV.

The HTTP Validation method is one of these approaches, and it requires the uploading of a particular file onto the server that manages your domain. This allows the CA to verify the file's existence before granting the SSL certificate.

However, in the near future, there will be modifications made to the HTTP validation process. Wildcard SSL certificate holders will no longer be able to validate their domains using this method. In its place, single-domain and multi-domain SSL certificates will be required to have individual validations performed on each SAN, also known as a domain seat. It is essential to keep in mind that these alterations will only affect the HTTP validation method; the email and DNS validation methods will continue to function normally.


Why is This Happening?

The CA/Browser Forum, an organization that controls the rules and processes for SSL certificates, concluded that HTTP validation poses the possibility of malicious entities gaining certificates for subdomains they do not legitimately control. This conclusion was reached after the CA/Browser Forum analysed the situation.


Are Reissues and Renewals of SSL Certificates Going to be Affected as a Result of These Changes?

These modifications will unquestionably be applied to any newly issued, reissued, and renewed SSL certificates that make use of the HTTP DCV mechanism.


When Can We Anticipate That These Modifications Will be Put into Effect?

On M2Host, the HTTP DCV option for Wildcard SSL certificates will be turned off on October 21, 2021, and will no longer be available for selection. Beginning on November 15, 2021, each SAN included in single-domain and multi-domain SSL certificates will be required to go through independent validation in order for HTTP validation to be successful.


What Kind of Impact Will These Modifications Have on Clients That Use M2Host SSL?

If you already have an SSL that has been provided to you, then there is nothing further that needs to be done on your end. If that is not the case, the following is what you need to do for each form of SSL:

Wildcard SSL certificate: If you have a Wildcard SSL certificate that is pending domain validation with the HTTP technique, you have until November 15, 2021, to finish DCV using this method. If you are unable to complete HTTP DCV by this date, you will be required to switch the DCV method to either email or DNS in order for the SSL certificate to be issued. If you follow this guide, you can change the DCV method.

If you follow this guide, you will be able to change the DCV technique.


Single-domain SSL certificate: If after November 15, your single-domain SSL certificate is still pending HTTP DCV, you will be required to make the validation file available at the main domain as well as the www subdomain. In the past, all that was required of you was to upload the validation file to the primary domain.

If you wanted to validate your single-domain SSL certificate for blog.example.com, for instance, the file would need to be accessible at the following URLs: http://blog.example.com/.well-known/pki-validation/file.txt and http://www.blog.example.com/.well-known/pki-validation/file.txt.


Multi-domain SSL certificate: After November 15, if your multi-domain SSL certificate's HTTP DCV still needs to be completed, you will be required to validate each SAN on an individual basis.

Therefore, if you were to activate a multi-domain SSL certificate, for instance, example.com, www.example.com, and example.net, then the file ought to be accessible at the following URLs:

file.txt could be located at the following URL: http://example.com/.

You can find the text file at this location: http://www.example.com/.well-known/pki-validation/file.txt and

file.txt can be found at http://example.net/.well-known/PKI-Validation.

Before the change, you only had to upload the file to http://example.com/.well-known/pki-validation/file.txt and

http://example.net/.well-known/pki-validation/file.txt.

Before the modification, you needed to merely upload the file to the following locations: http://example.com/.well-known/pki-validation/file.txt and http://example.net/.well-known/pki-validation/file.txt.

However, after the change, you need to upload the file to both of these locations.


Free SSL certificate for Shared Hosting: You do not need to take any action at all if the shared hosting nameservers are being used for your domain. Even so, the installation of the free SSL certificate will take place only a short time after you add a domain or subdomain to the hosting account. If you want to utilize custom nameservers, then you need to make sure that both the primary domain and the www.subdomain of the primary domain are directed to the hosting account that you have.


Conclusion

SSL certification approval is going to change in significant ways. If you plan to or already have an SSL certificate, you need to know this information. Domain Control Validation, or DCV, is a process that Certificate Authorities (CAs) use to make sure you are the legal owner of the domain(s) you want to protect with an SSL certificate or that you have control over those domains. HTTP security will be changing. Domain checking will no longer be possible with wildcard SSL certificates. This will affect Wildcard SSL certificates, single-domain SSL certificate, multi-domain SSL certificate, and free SSL certificates for shared hosting.


Related Posts