No more File Validation for Wildcard SSL certificates

In compliance with pending policy changes brought about by CA Browser (CA/B) Forum ballot SC45; Sectigo and Digicert CAs will make updates to the circumstances under which it can employ file-based Domain Control Validation (DCV). While these updates will have minimal impact on customers, they will change the process required for domain validation for some types of certificate request. Sectigo/Digicert will implement its policy updates starting November 15, 2021.

Domain Control Validation (DCV) is the process by which a CA gains evidence that a particular domain is managed by the applicant for a certificate. The certificate applicant has a choice of possible DCV methods explained below:

Domain Control Validation (DCV) Method

One of these options is file-based validation, which requires the domain owner to upload to the domain a file containing a unique identifier given to the certificate applicant by the Certificate Authority (CA). The CA can then locate and interrogate this file as proof that the requestor has control of this domain.

The CA/Browser Forum has determined that this process is inadequate for validation of wildcard domains or entire domain spaces. The recent ballot mandates the disallowance of file-based authentication for wildcard certificates. For multidomain certificates using file-based DCV, each subdomain will require independent validation. This requirement impacts all SSL / TLS certificate requests.

Requesters who have used file-based DCV in the past may continue to use this method for multi-domain certificates simply by including the assigned token on each subdomain requiring validation. If they prefer, requesters can elect a different DCV method for multi-domain certificates instead. Those requesting wildcard certificates will need to choose a method other than file-based DCV.