|
|
All commercial CAs require a domain control verification (DCV) before issuing an SSL certificate. Until now, you could choose one of three methods to verify domain ownership. But starting November 15, you can no longer use the HTTP/HTTPS hashing method to verify Wildcard domains. You are left with two options:
Email verification
DNS based verification (CNAME verification)
Before we look at why CAs decided to remove file-based validation for Wildcard certificates, let's quickly look at each method.
E-mail
This is the easiest and most popular method of verifying your domain name. All you need to do is reply to the email sent by the CA to your address listed in your WHOIS record. Here is a list of pre-approved emails for domain ownership verification
When using this method, you need to create a unique CNAME record in your DNS (Domain Name System). For example, if you order an SSL certificate from Sectigo , they will ask you to make your CNAME record point to the Sectigo site.
File base
Certificate authorities and browsers are constantly mobile app development service striving to improve the SSL issuance process and make it bulletproof. After shortening the SSL validity period to just one year in a previous change, their latest vote bans file-based verification for Wildcard domains and subdomains.
Bulletin SC45 , which was unanimously adopted by the CA/Browser Forum, affects the file-based DCV method as follows:
Starting in November, you will not be able to perform file-based authentication for wildcard certificates. Instead, you will have to use email-based or DNS-based authentication.
For certificates that do not contain wild cards, domain verification will be required for each FQDN/SAN individually.
These policy changes affect all public TLS/SSL certificates.
CA/B Forum Bulletin SC45 goes into effect on December 1, 2021, but DigiCert and Sectigo, leading CAs, have announced that they will implement the changes on November 15.
This means that all Wildcard certificates issued before November 14 will still support the file-based verification method. However, starting November 15, it will no longer be available.
Why the File-Based DCV Method Is a Security Risk
According to the CA/B Forum, the file-based domain verification method is not sufficient to confirm control over the entire FQDN (Fully Qualified Domain Name) namespace, including all domains and subdomains that exist within that namespace.
For example, you may control yourdomain but may be hosted on another server that you do not have access to. In theory, a phisher or hacker could verify such a domain and use it for cyberattacks.
|
|
發表於 2024-11-7 18:56:09