{"id":14988,"date":"2021-09-01T09:00:00","date_gmt":"2021-09-01T13:00:00","guid":{"rendered":"https:\/\/www.thesslstore.com\/blog\/?p=14988"},"modified":"2025-09-10T12:34:28","modified_gmt":"2025-09-10T16:34:28","slug":"file-based-wildcard-goes-away-after-november","status":"publish","type":"post","link":"https:\/\/www.thesslstore.com\/blog\/file-based-wildcard-goes-away-after-november\/","title":{"rendered":"File-Based Wildcard Validation Goes Away After November"},"content":{"rendered":"\n

Is HTTP\/HTTPS domain control validation your go-to method for validating wildcard domains? Starting in November, you\u2019ll need to use DNS or email validation for wildcard SSL certificates<\/h2>\n\n\n\n

If you follow the CA\/Browser Forum<\/a> (CA\/B Forum), it\u2019s likely that you\u2019ve at least heard about some of the changes that are occurring this year. (And if you haven\u2019t, it\u2019s probably because you have more of a life than we do. But don\u2019t worry, we\u2019re about to give you the lowdown regarding what you need to know about one of the biggest changes.)<\/p>\n\n\n\n

Ballot SC 45<\/a>, also known as the Wildcard Domain Validation ballot, is the latest domain control validation (DCV) change to come out of the CA\/B Forum. It changes the requirements relating to how CAs can validate your wildcard domains and subdomains when issuing wildcard SSL certificates for your sites. Starting in November, you won\u2019t be able to use file-based authentication for wildcard certificates. Instead, you\u2019ll need to use DNS or email-based authentication.<\/strong><\/p>\n\n\n\n

The change was created in response to the concern that host-based control validation isn\u2019t a strong enough way to demonstrate that someone has control over a domain\u2019s entire namespace. It received unanimous support by CA\/B Forum members because it improves security for subdomains.<\/p>\n\n\n\n

But what exactly does this change entail for wildcard and multi-domain wildcard certificate users? And what does all of this mean for validating domains without the use of what\u2019s considered a go-to method?<\/p>\n\n\n\n

Let\u2019s hash it out.<\/span><\/p>\n\n\n\n

First, A Quick Refresher on Domain Control Validation Methods<\/h2>\n\n\n\n

Whenever you request a digital certificate to secure a specific website domain, you need to prove that you actually control that domain. Domain control validation (DCV) is an important part of the certificate request and issuance process. Traditionally, there have been three methods you could choose from to accomplish this task. Here\u2019s a quick overview of the three types (listed in no particular order):<\/p>\n\n\n\n

    \n
  1. Email-based validation<\/strong> \u2014 This domain validation method is the easiest. It involves you receiving and acting upon an email sent to the account listed on your domain\u2019s WHOIS record (such as admin@yourdomain.com).<\/li>\n\n\n\n
  2. File-based validation (HTTP\/HTTPS validation)<\/strong> \u2014 This method of domain validation requires you to upload a text file to a specific directory of your domain\u2019s web server. The file must contain specific information that the CA tells you to include to prove you control the domains that you want the wildcard or non-wildcard SSL certificate to cover.<\/li>\n\n\n\n
  3. DNS-based validation (CNAME validation)<\/strong> \u2014 This method involves the applicant creating a unique CNAME record in their domain name system (DNS) to prove domain control. For example, Sectigo likes to require their certificate requestors to make their CNAME records point back to Sectigo site.  <\/li>\n<\/ol>\n\n\n<\/span><\/span>\n\n\n

    CA\/B Forum Ballot SC 45 Changes the Rules for Wildcard Validation<\/h2>\n\n\n
    \n
    \"Screenshot
    A screenshot example of SAN domains that are covered by an individual SAN SSL\/TLS certificate.<\/figcaption><\/figure>\n<\/div>\n\n\n

    CA\/B Forum ballot SC45, which goes into effect on Dec 1, 2021, specifies that file-based domain validation for certificates will no longer be allowed for wildcard domains \u2014 period. The concern here is that it\u2019s not considered a comprehensive enough method because this validation method only provides control over a host and service, not the domain namespace as a whole. The ballot had broad support and passed unanimously with 22 certificate issuers and five certificate consumer groups voting for it.<\/p>\n\n\n\n

    Say, you control the individual FQDN trekkie4evah.com<\/em>. It doesn\u2019t automatically prove that you also control other areas of your domain namespace (such as the subdomains email.trekkie4evah.com<\/em> or login.email.trekkie4evah.com<\/em>). Someone malicious could validate domains that they use for phishing campaigns and other cyber attacks.<\/p>\n\n\n\n

    So, what does this mean if you use file-based validation for non-wildcard domains? You\u2019ll need to validate each FQDN or subject alternative name (SAN) domain that you want to cover individually. In other words, using the file-based method to validate domain.com will no longer validate subdomains on the same root (*.domain.com, sub.domain.com, etc.).<\/p>\n\n\n\n

    Ballot SC45 applies to the domain control validation sections of the CA\/B Forum\u2019s Baseline Requirements listed in the table below:<\/p>\n\n\n\n

    Baseline Requirement Section<\/strong><\/td>Summary Description of What This Section Entails<\/strong><\/td>Changes Based on Ballot SC 45<\/strong><\/td><\/tr>
    3.2.2.4.6 \u2014 Agreed-Upon Change to Website<\/td>This section of the baseline requirements discusses re-using information from past validations from the HTTP\/HTTPS method to confirm domain control.<\/td>Because SC 42 passed, no changes were made to this section because it already prevents the re-use of past validations or new certificates after June 30, 2021.  <\/td><\/tr>
    3.2.2.4.18 \u2014 Agreed-Upon Change to Website v2<\/td>This section refers to the HTTTP status code responses a CA must receive through file-based domain validation that involves verifying request tokens or random values within a specified file.<\/td>Starting Dec. 1, 2021, CAs are required to separately validate \u201cother FQDNs that end with all the labels of the validated FQDN\u201d using a separate DCV method prior to issuing certificates for them. Wildcard domain names can\u2019t be validated using this method on or after the effective date.<\/td><\/tr>
    3.2.2.4.19 \u2014 Agreed-Upon Change to Website – ACME<\/td>This section of the baseline requirements outlines domain control validations that use the ACME HTTP Challenge method outlined in RFC 8555, section 8.3.<\/td>The same changes we outlined above for Baseline Requirement 3.2.2.4.18 apply here for BR 3.2.2.4.19.<\/td><\/tr><\/tbody><\/table><\/figure>\n\n\n\n

    (Note: The ballot was based on version 1.7.4<\/a>, and the BR document is now up to version 1.7.9<\/a>).<\/p>\n\n\n\n

    Why Eliminating HTTP Validation for Wildcard Domains Is Necessary<\/h2>\n\n\n\n

    All of this may leave you wondering whether getting rid of this domain validation method is necessary. According to the CA\/B Forum\u2019s GitHub discussion on Ballot SC45<\/a>, the goal here is to make it clear that using the HTTP\/HTTPS method to validate a single domain demonstrates control of a single FQDN.<\/strong><\/em> This method of validation doesn\u2019t prove control of the FQDN\u2019s entire namespace as a whole (i.e., all of the domains and subdomains that exist within that namespace).<\/p>\n\n\n\n

    It\u2019s possible someone could have control where domain.com is hosted but not be an authorized admin of the server where any of the subdomains are hosted. However, it seems like it\u2019s more of a theoretical concern than a widespread, real-world issue.<\/p>\n\n\n\n

    <\/circle><\/line><\/line><\/svg>

    Related: Learn About Multi-Perspective Issuance Corrobortion (MPIC)<\/p>

    Learn about the role of MPIC for website and email domain validation<\/a>, which adds another layer of authenticity by relying on multiple remote network perspectives.<\/p><\/div>\n\n\n\n

    DigiCert, Sectigo Will Roll Out Their DCV Changes Ahead of Schedule on Nov. 15, 2021<\/h3>\n\n\n\n

    Although the ballot isn\u2019t supposed to take effect until Dec. 1, 2021, two leading certification authorities (DigiCert<\/a> and Sectigo<\/a>) separately announced that they’re individually implementing the validation changes a couple of weeks early. Why? To make sure that everything is working the way it should and that there aren\u2019t any unforeseen issues that pop up at the last minute.<\/p>\n\n\n\n

    DCV changes for both DigiCert and Sectigo are effective Monday, Nov. 15, 2021.<\/strong> This means that any certificates issued before Nov. 14 will still work as they always have in terms of DCV methods. However, starting Nov. 15:<\/p>\n\n\n\n