Changes To Comodo’s Domain Validation Procedures Coming Next Week
Comodo will be improving their domain validation methods to meet new industry standards. This will result in small changes to how you validate your Comodo certificates, and will actually be a big improvement for those using file authentication.
Conceptually, these methods continue to work the same way. The implementations have just been tweaked slightly to comply with new industry standards and the end result is that the processes have actually gotten easier. Three cheers for security and simplicity!
The average user will not notice an impact to how you request and validate certificates besides a small tweak to the file path for file validation. But businesses that resell certificates or enterprises that automate deployment will want to consult the specific changes to make sure they are ready.
These changes take effect shortly – less than one week from today. Here is a quick summary of what’s changing so you can be prepared.
Note that this only applies to Comodo. Symantec and Certum made similar changes earlier this year.
There are changes with two of the validation methods: File-based validation and CNAME (aka DNS) validation.
Things are getting much simpler. Before, there were different procedures depending on the type of certificate or the hostnames you wanted to protect.
Now there is just one rule. Place the file at the following path:
Each certificate request will still receive a unique .txt file with a random-looking name (it’s really an MD5 hash of your request). Inside, the file will now contain a unique SHA-256 hash and comodoca.com in a separate line underneath.
As before, you can create a specified CNAME record to validate ownership of your domain. This value will still be provided to you, and you will create it in your DNS manager the same way.
The specifics of the record will change, and this really only affects those that like to familiarize themselves with every detail. There will now be an underscore (“_”) before MD5 hash values and SHA256 hashes that are split into 32-character strings will now be used.
Here is an example of a new record:
_c7fbc2039e400c8ef74129ec7db1842c.<domain.com> CNAME c9c863405fe7675a3988b97664ea6baf.442019e4e52fa335f406f7c5f26cf14f.comodoca.com.
When Do I Need To Make These Changes
These changes will take effect next Thursday, July 20, 2017.
For “retail customers,” who purchase directly from Comodo or from a reseller like us, you will automatically start receiving the updated files and instructions. Because these files and CNAME values are prepared by Comodo, you may not even notice a difference.
Resellers, enterprise customers, and other high-volume certificate users will need to spend more time preparing.
If you use a plugin or API to purchase your Comodo certificates, check with your provider what (if any) update needs to be made so you can be compatible with the changes.
Our resellers and enterprise users can update anytime between now and the 20th, which is the deadline for the switch. New versions of the plugins and updated API calls and documentation are available here.