The CAB Forum has approved an amendment to the Baseline Requirements, changing the rules on domain validation. From 1st December 2021, restrictions on HTTP-based validation methods will be introduced, in so much as they only prove the control of a particular host and service (not of the entire domain name).
Please find below details of how these changes will impact domain validation processes for SSL Certificates, as of 01/12/2021.
- HTTP-based validation methods will no longer be used to validate a wildcard FQDN (Fully Qualified Domain Name) (such as *.domainname.tld). As a result, it will not be possible to issue a wildcard SSL Server certificate if the domain validation is performed using an HTTP-based method. Actalis will, in any case only offer domain control validation (DCV) methods acceptable for the type of certificate being requested.
- HTTP-based validation methods will no longer cover subdomains (including “www”) of the validated domain. This means, for example, that if a domainname.tld is validated using the HTTP method, its SSL Server certificate cannot also include www.domainname.tld. If you want the certificate to include www.domainname.tld, this must itself be HTTP validated. If you want the certificate to include both FQDNs, you will need to ensure HTTP validation for both.
Other domain validation methods remain unchanged (e.g. DNS-based method or those based on emailing a domain administrator or contact).