Domain Validation Changes for Issuing SSL Certificates in 2021

The CA/B Forum, the regulator of the SSL certificates industry, has approved several changes associated with domain validation policy. The changes apply to all new certificates, as well as re-issues and renewals of old certificates. SSL/TLS certificates that have already been issued will continue to function (you do not need to change them).

Domains will need to be re-validated every 398 days

Starting from 1 October 2021, domains (FQDNs) will have to be re-validated every 398 days. The same applies to the revalidation of IP addresses. This change is noted in the Ballot SC42. For the Organization Verification (OV), the same 825-day data reuse period remains. 

Extended Validation (EV) is not affected in this case, since domains with EV certificates already require re-validation every year.

Domain Control Validation (DCV) using File Authentication has changed

CA/B Forum has made some changes to file-based domain authentication. The file-based domain control validation method will be disabled for wildcard certificates. At the same time, such validation is possible for individual subdomains.

Email- and DNS-based domain control validation methods will not be affected.

CA/B Forum policy changes require separate file-based validation for each FQDN. At the same time, validation based on Email and DNS will still work for wildcard certificates. It can be used to validate all subdomains of one verified domain. This change will come into force on 1 December 2021.

Do I need to do anything?

No urgent action is required.

To better prepare for these changes, we recommend changing the domain validation method to email or DNS for wildcard and multi-domain certificates. File authentication is only suitable for individual domains (it will no longer cover the entire domain space within the verified domain).

Subscribe to our updates to keep abreast of the latest events in the world of SSL!