{"id":2033,"date":"2021-10-13T02:29:57","date_gmt":"2021-10-13T09:29:57","guid":{"rendered":"https:\/\/www.ssls.com\/blog\/?p=2033"},"modified":"2023-09-27T15:05:05","modified_gmt":"2023-09-27T22:05:05","slug":"upcoming-changes-to-http-domain-control-validation","status":"publish","type":"post","link":"https:\/\/www.ssls.com\/blog\/upcoming-changes-to-http-domain-control-validation\/","title":{"rendered":"The upcoming changes to HTTP domain control&nbsp;validation"},"content":{"rendered":"\n<figure class=\"wp-block-image\"><img decoding=\"async\" src=\"https:\/\/www.ssls.com\/blog\/wp-content\/uploads\/SSLs_changes-to-HTTP.png\" alt=\"\" class=\"wp-image-2026\"\/><\/figure>\n\n\n\n<p>There will be a change in the requirements for SSL certificates seeking validation using the <a href=\"https:\/\/www.ssls.com\/knowledgebase\/how-can-i-complete-the-domain-control-validation-for-my-ssl-certificate\/#http\">HTTP domain control validation (DCV) method<\/a> in the coming weeks. This change is in keeping with new rules set out by the CA\/Browser Forum, which has determined that in some instances, HTTP validation may allow threat actors to obtain SSL certificates for domains they don\u2019t actually own.<br><\/p>\n\n\n\n<!--more-->\n\n\n\n<p>If you already have an issued <a href=\"https:\/\/www.ssls.com\/blog\/clearing-up-confusion-ssl-vs-code-signing-certificates\/\">SSL certificate<\/a>, this change won\u2019t affect you. However, if you\u2019re planning to purchase, reissue, reactivate, or renew an SSL certificate and validate via HTTP DCV in the near future, read on to find out more about these changes and how they may impact you.<br><\/p>\n\n\n\n<p>To learn more about DCV and HTTP DCV, <a href=\"#faq\">click here to skip to the FAQ section<\/a>.&nbsp;<\/p>\n\n\n\n<h2 class=\"wp-block-heading\">What exactly is changing?<\/h2>\n\n\n\n<p>The main changes are:<br><\/p>\n\n\n\n<ul class=\"wp-block-list\"><li><a href=\"https:\/\/www.ssls.com\/knowledgebase\/how-can-i-complete-the-domain-control-validation-for-my-ssl-certificate\/#http\">HTTP DCV<\/a> will no longer be allowed for any <a href=\"https:\/\/www.ssls.com\/domain-type\/wildcard-ssl-certificates\">Wildcard SSL<\/a> certificates&nbsp;<\/li><li>Each SAN in a non-wildcard SSL (<a href=\"https:\/\/www.ssls.com\/domain-type\/single-domain-ssl-certificates\">Single-domain<\/a> &amp; <a href=\"https:\/\/www.ssls.com\/domain-type\/multi-domain-ssl-certificates\">Multi-domain<\/a>) will need to be validated individually.<\/li><\/ul>\n\n\n\n<p>Email and DNS validation will not be affected, so you\u2019ll still be able to validate your site by <a href=\"https:\/\/www.ssls.com\/knowledgebase\/how-can-i-complete-the-domain-control-validation-for-my-ssl-certificate\/#em\">receiving an email<\/a> or <a href=\"https:\/\/www.ssls.com\/knowledgebase\/how-can-i-complete-the-domain-control-validation-for-my-ssl-certificate\/#dns\">placing a CNAME record<\/a> in your site\u2019s DNS settings, whatever your SSL certificate type.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\">When will the changes take place?<\/h2>\n\n\n\n<p>We will remove the HTTP DCV option for Wildcard SSL certificates on SSLs.com on October 21, 2021. From November 15, 2021, Single-domain &amp; Multi-domain certificates will require validation for each individual SAN on the certificate.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\">How will this affect me?<\/h2>\n\n\n\n<p>As we said earlier, if you already have your issued SSL, you don\u2019t need to do anything.&nbsp;<br><\/p>\n\n\n\n<p>If you have yet to activate your SSL or have one pending HTTP DCV, here are the new requirements based on SSL type:<br><\/p>\n\n\n\n<p><strong>Wildcard SSLs<\/strong><\/p>\n\n\n\n<p>If you have a Wildcard SSL pending domain validation using the HTTP method, you can complete DCV via this method until November 15, 2021. If you don\u2019t complete HTTP DCV before November 15, you\u2019ll need to change the DCV method to Email or DNS to have the SSL issued. You can <a href=\"https:\/\/www.ssls.com\/knowledgebase\/ssl-validation-tool\/\">change your DCV method by using the SSL Order Status Checker tool<\/a>.<br><\/p>\n\n\n\n<p><strong>Single-domain SSLs<\/strong><\/p>\n\n\n\n<p>If you have a single-domain certificate that\u2019s pending HTTP DCV after November 15, you\u2019ll need to upload the validation file to both the main domain and the www subdomain. <br><\/p>\n\n\n\n<p>If we take blog.example.com as an example, before November 15, you\u2019ll only need to place the validation file for an activated single-domain SSL in: http:\/\/blog.example.com\/.well-known\/pki-validation\/file.txt.<br><\/p>\n\n\n\n<p>However, after November 15, the file must be available at both: http:\/\/<strong>blog<\/strong>.example.com\/.well-known\/pki-validation\/file.txt and http:\/\/<strong>www.blog.<\/strong>example.com\/.well-known\/pki-validation\/file.txt.<br><\/p>\n\n\n\n<p><strong>Multi-domain SSLs<\/strong><\/p>\n\n\n\n<p>If you have multi-domain validation certificates pending HTTP DCV after November 15, you\u2019ll need to validate each SAN individually.<br><\/p>\n\n\n\n<p>For example, if you activate a multi-domain SSL for <strong>example.com<\/strong>, <strong>www.example.com<\/strong>, and <strong>example.net<\/strong>, then the file will need to be made available at the following URLs:<br><\/p>\n\n\n\n<ul class=\"wp-block-list\"><li>http:\/\/<strong>example.com<\/strong>\/.well-known\/pki-validation\/file.txt<\/li><li>http:\/\/<strong>www.example.com<\/strong>\/.well-known\/pki-validation\/file.txt<\/li><li>http:\/\/<strong>example.net<\/strong>\/.well-known\/pki-validation\/file.txt  <\/li><\/ul>\n\n\n\n<p>Before, the files only needed to be available at: http:\/\/<strong>example.com<\/strong>\/.well-known\/pki-validation\/file.txt and http:\/\/<strong>example.net<\/strong>\/.well-known\/pki-validation\/file.txt.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\"><strong>How SSLs.com will help users pass DCV following the new requirements<\/strong><\/h2>\n\n\n\n<p>For Wildcard SSLs, we will remove the HTTP DCV option on October 21.<\/p>\n\n\n\n<p>To give users more options, we will also add <a href=\"https:\/\/www.ssls.com\/knowledgebase\/how-can-i-complete-the-domain-control-validation-for-my-ssl-certificate\/#dns\">DNS validation<\/a> to the available DCV methods at the SSL activation stage for single-domain and wildcard certificates. This will allow users to validate domain names by adding a CNAME record to their domain\u2019s DNS zone.&nbsp;<br><\/p>\n\n\n\n<p>As always, our support team is available 24\/7\/365 to help you get your SSLs validated.<br><\/p>\n\n\n\n<h2 class=\"wp-block-heading\" id=\"faq\">FAQ<\/h2>\n\n\n\n<p><strong>What is DCV?<\/strong><\/p>\n\n\n\n<p>DCV or Domain Control Validation is a process used by Certificate Authorities to prove that the person requesting an SSL for a specific domain has control over that domain.<br><\/p>\n\n\n\n<p><strong>What is HTTP (file-based) DCV?<\/strong><\/p>\n\n\n\n<p><a href=\"https:\/\/www.ssls.com\/knowledgebase\/how-can-i-complete-the-domain-control-validation-for-my-ssl-certificate\/#http\">HTTP DCV<\/a> is a DCV method that requires the requestor to upload a validation file to their domain\u2019s hosting server so that the Certificate Authority can check it and verify domain ownership.<br><\/p>\n\n\n\n<p><strong>Why are these changes happening?<\/strong><\/p>\n\n\n\n<p>The CA\/Browser Forum, the organization that manages SSL certificate rules and procedures, has determined that HTTP validation comes with the risk of threat actors obtaining certificates for subdomains they don\u2019t legitimately control.<br><\/p>\n\n\n\n<p><strong>Will these changes apply to reissue and renewals?<\/strong><\/p>\n\n\n\n<p>Yes, these changes will apply to all new, reissued, reactivated, and renewal SSL certificates validated using the HTTP DCV method.<br><\/p>\n","protected":false},"excerpt":{"rendered":"<p>There will be a change in the requirements for SSL certificates seeking validation using the HTTP domain control validation (DCV) method in the coming weeks. This change is in keeping with new rules set out by the CA\/Browser Forum, which has determined that in some instances, HTTP validation may allow threat actors to obtain SSL [&hellip;]<\/p>\n","protected":false},"author":9,"featured_media":0,"comment_status":"closed","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[1],"tags":[],"class_list":["post-2033","post","type-post","status-publish","format-standard","hentry","category-news"],"_links":{"self":[{"href":"https:\/\/www.ssls.com\/blog\/wp-json\/wp\/v2\/posts\/2033","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.ssls.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.ssls.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.ssls.com\/blog\/wp-json\/wp\/v2\/users\/9"}],"replies":[{"embeddable":true,"href":"https:\/\/www.ssls.com\/blog\/wp-json\/wp\/v2\/comments?post=2033"}],"version-history":[{"count":10,"href":"https:\/\/www.ssls.com\/blog\/wp-json\/wp\/v2\/posts\/2033\/revisions"}],"predecessor-version":[{"id":2726,"href":"https:\/\/www.ssls.com\/blog\/wp-json\/wp\/v2\/posts\/2033\/revisions\/2726"}],"wp:attachment":[{"href":"https:\/\/www.ssls.com\/blog\/wp-json\/wp\/v2\/media?parent=2033"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.ssls.com\/blog\/wp-json\/wp\/v2\/categories?post=2033"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.ssls.com\/blog\/wp-json\/wp\/v2\/tags?post=2033"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}