Speed up SSL issuance
GoGetSSL® offers fastest issuance of SSL due to use of LEI code and API automation. Legal Entity Identifier (LEI) is a global identity code, just like DUNS. Learn how LEI works.
Guide on Multi-Perspective Issuance Corroboration (MPIC)
-
Starting Sept 15, 2025, all publicly trusted certification authorities (CAs such as DigiCert, Sectigo, etc.) must perform domain validation and CAA record checks using multiple network perspectives.
With MPIC, CAs no longer rely on a single DNS lookup when verifying a domain’s CAA (Certification Authority Authorization) records. Instead, they now check DNS responses from multiple global network locations to confirm consistency and reduce the risk of DNS spoofing or routing attacks.
This change improves security but also means that some previously valid DNS setups — especially private or restricted DNS servers — may cause SSL/TLS certificate issuance to fail if the CAA check cannot be completed from all required perspectives.
-
-
*
What Is MPIC?
Multi-Perspective Issuance Corroboration (MPIC) is a new security standard adopted by Certificate Authorities (CAs), including Sectigo, to make SSL/TLS certificate issuance more resilient and secure.
Previously, when you requested an SSL certificate, the CA would check your CAA (Certification Authority Authorization) DNS records from one or two global network locations. If the DNS server responded correctly, the certificate could be issued.
With MPIC, the CA must now check your CAA records from multiple geographic perspectives (locations). If any perspective cannot reach your DNS server or gets conflicting results, the issuance fails.
-
*
Why MPIC Was Introduced
MPIC was created to address BGP hijacking and other DNS-related attacks that could allow an attacker to trick a CA into issuing a certificate for a domain they don’t own. By validating from multiple networks and locations, the CA can better detect:
- Private or unreachable DNS servers
- Incorrect or misconfigured CAA records
- DNS manipulation or spoofing attempts
-
*
How MPIC Affects You
If your DNS server is not publicly reachable or is restricted to certain IPs, the CAA check may fail. Even if your CAA records appear correct when checked from your local network or common online tools, the CA might not be able to confirm them from all required perspectives.
Common reasons for failure include:
- Private or internal DNS servers
- Geo-restricted DNS servers
- DNS firewalls or blocking certain regions
- Misconfigured CAA records (typos, missing flags)
- DNSSEC issues
-
-
-
*
How to Fix MPIC-Related Issues
Ensure Your DNS Is Publicly Reachable
- Your DNS servers must be accessible from multiple global locations.
- Avoid private resolvers or networks restricted by firewalls.
- Test your domain with CAA Record Checker
Verify Your CAA Records
Make sure your CAA records explicitly authorize Sectigo (if you’re using Sectigo-issued certificates). Example:
example.tld. IN CAA 0 issue "sectigo.com" example.tld. IN CAA 0 issuewild "sectigo.com"If you have no CAA records at all, the CA can issue any certificate — but it’s safer to have correct ones.
Check DNS Propagation
Use public DNS checkers (e.g., dig, dnschecker.org) to confirm your CAA records resolve from multiple global locations.
Remove DNS Restrictions
If your DNS provider or server blocks certain regions or IPs, it can cause MPIC validation to fail. Allow queries from public resolvers.
Validate DNSSEC Configuration
Improper DNSSEC setup can cause lookup failures. Ensure your DS and DNSKEY records are correct and match your zone.
-
*
Best Practices Moving Forward
- Use a reliable, public DNS provider (e.g., Cloudflare, Google DNS, AWS Route53).
- Regularly test your CAA setup from different locations.
- Keep CAA records minimal but correct — specify only the CAs you use.
- Monitor certificate issuance logs for CAA or PRE-SIGN FAILED errors.
If you still have a questions or need our assistance please contact our support team
-