Some upcoming changes to how SSL certificates are validated
If you’re thinking about purchasing an SSL soon or already have an SSL that you haven’t activated yet, you should know about some upcoming changes to how SSL certificates are validated and what that might mean for you. HTTP domain control validation (DCV) will work a little differently across all SSL certificate types going forward in the coming weeks. If you already have an issued SSL, this won’t affect you. For everyone else, read on for more information.
This blog post will discuss what the changes are, why they’re happening, and how they will affect you.
What is DCV?
First, let’s define what DCV is in case you’re not already familiar with it. DCV is a process that shows Certificate Authorities (CAs) that you are the owner or have control over the domain or domains you wish to secure with an SSL certificate. DCV is a requirement of all CAs that issue SSL certificates.
There are three methods of DCV to choose from:
- Email validation
- DNS validation
- HTTP Validation
HTTP validation is a file-based validation method that requires whoever requested an SSL to upload a particular file to a specific folder on their domain’s server. You can find out more about how to create that folder and upload the folder in this guide. Once this is complete, the CA checks that this file is present on the server before issuing the SSL certificate.
How will HTTP validation change?
The most significant change is that Wildcard SSL certificate owners will no longer be permitted to validate their domains via HTTP DCV.
Meanwhile, each SAN (domain seat) in single-domain and multi-domain SSL certificates will need to be validated individually when domain owners choose HTTP DCV.
Email and DNS validation will not be affected.
Why is this happening?
The CA/Browser Forum, the organization that manages SSL certificate rules and procedures, has determined that HTTP validation comes with the risk of malicious actors obtaining certificates for subdomains they don’t legitimately control.
Will these changes apply to reissue and renewal SSL certificates?
Yes, these changes will apply to all new, reissue, and renewal SSL certificates using the HTTP DCV method.
When will these changes take place?
The HTTP DCV option will be removed from Wildcard SSL certificates on Namecheap on October 21, 2021.
From November 15, 2021, HTTP validation for Single-domain and Multi-domain certificates will require each SAN to be validated individually.
What will these changes look like for Namecheap SSL customers?
As mentioned earlier, if you already have an issued SSL, you won’t need to do anything. Otherwise, here’s what you need to do for each SSL type:
- Wildcard SSLs: If you have a Wildcard SSL pending Domain validation with the HTTP method, you can complete DCV with this method until November 15, 2021. If you don’t complete HTTP DCV before this date, you’ll need to change the DCV method to Email or DNS to have the SSL issued. You can change the DCV method by following this guide.
- Single-domain SSLs: If your single-domain SSL is still pending HTTP DCV after November 15, you will need to make the validation file available both at the main domain and www subdomain. Before, you only needed to upload the validation file to the main domain.
As an example, if you wanted to validate your single-domain SSL for blog.example.com, the file would need to be available at the following links: http://blog.example.com/.well-known/pki-validation/file.txt and http://www.blog.example.com/.well-known/pki-validation/file.txt. - Multi-domain SSLs: If your multi-domain certificate is still pending HTTP DCV after November 15, you’ll need to validate each SAN individually.
So, if you were to activate a Multi-domain SSL for example.com, www.example.com, and example.net, then the file should be available at the following URLs:
http://example.com/.well-known/pki-validation/file.txt
http://www.example.com/.well-known/pki-validation/file.txt
http://example.net/.well-known/pki-validation/file.txt
Before the change, you only needed to upload the file to:
http://example.com/.well-known/pki-validation/file.txt and http://example.net/.well-known/pki-validation/file.txt. - Free SSLs on Shared Hosting: If your domain is using Shared Hosting Nameservers, you don’t need to do anything. The free SSL will still be installed shortly after you add a domain or subdomain to the hosting account. If you wish to use custom nameservers, then you should make sure that both the main domain and its www subdomain are pointed to your hosting account.
Wrap up
Hopefully, you now understand the upcoming changes to DCV and how they may affect you. To learn more about DCV in general, check out this knowledgebase article. If you need help with SSL validation or anything else, our support team is always available 24/7/365 to answer any questions or queries you might have.