SearchSupportDocsFree trial
Contact us
Sectigo Blog

Modifications to Available File-Based Methods of Domain Control Validation

In compliance with pending policy changes by CA/B Forum ballot SC45; Sectigo will update the circumstances under which it can employ file-based DCV.

Sectigo Team
By Sectigo Team, Delivering Digital TrustSeptember 7, 20212 min read

In compliance with pending policy changes brought about by CA Browser (CA/B) Forum ballot SC45, Sectigo will make updates to the circumstances under which it can employ file-based Domain Control Validation (DCV). While these updates will have minimal impact on Sectigo customers, they will change the process required for domain validation for some types of certificate request. Sectigo will implement this policy change on the revised date of the beginning of November 22nd 2021.

Domain Control Validation (DCV) is the process by which a CA gains evidence that a particular domain is managed by the applicant for a certificate. The certificate applicant has a choice of possible DCV methods explained in these articles:

Domain Control Validation (DCV) Methods Alternative Methods of Domain Control Validation (DCV) ​

One of these options is file-based validation, which requires the domain owner to upload to the domain a file containing a unique identifier given to the certificate applicant by the Certificate Authority (CA). The CA can then locate and interrogate this file as proof that the requestor has control of this domain.

The CA/Browser Forum has determined that this process is inadequate for validation of wildcard domains or entire domain spaces. The recent ballot mandates the disallowance of file-based authentication for wildcard certificates. For multidomain certificates using file-based DCV, each subdomain will require independent validation. This requirement impacts all SSL / TLS certificate requests.

Requesters who have used file-based DCV in the past may continue to use this method for multi-domain certificates simply by including the assigned token on each subdomain requiring validation. If they prefer, requesters can elect a different DCV method for multi-domain certificates instead. Those requesting wildcard certificates will need to choose a method other than file-based DCV.

For more information, please see the following KB article and the associated FAQ.