File Based Validation for Wildcard SSL certificate is going to obsolete for domain control validation process from Nov. 15, 2021.
From starting of November 2021, you will have two options of DNS/CNAME and email validation to confirm domain control verification for wildcard SSL certificate.
The CA/Browser forum has released Ballot SC 45, also named as Wildcard Domain Validation ballot. The ballot was passed by 22 certificate issuers and five consumer groups. The ballot states about the process involved in wildcard domain and subdomains’ validation. It also states that from starting Nov. 2021, the certificate authority cannot consider file based validation method to issue a wildcard SSL certificate. The authority only can consider CNAME/DNS and email validation process to confirm domain control rights.
Why the Change came into Force?
The CA/Browser rolled out the change in order to strengthen wildcard domain validation process. File based validation method only verifies main domain in a wildcard certificate, but it does not guarantee of included subdomains under hierarchy of a main domain. It does not show that an SSL requester has control over domain’s entire namespace. For example, the file based validation is done on domain.com but it does not cover blog.domain.com, mail.domain.com, and other subdomains fall under main domain. A cybercriminal can control of them and maliciously validate subdomains.
It means if you purchase a wildcard then, an authority can use DNS or email validation. If you have an individual FQDN and other SAN domains then, you need to individually validate each FQDN or SAN domain under file based validation method.
What Ballot SC 45 Says?
There were methods used like 3.2.2.4.6, 3.2.2.4.18, and 3.2.2.4.19 of the baseline requirement to validate entire domain namespace. From Dec. 1, 2021, these methods will be ineffective. These methods were used to authenticate specific host and service. The CA/Browser forum baseline in Ballot SC 45 is says:
Starting Dec. 1, 2021, Certificate authorities need to individually validate “other FQDNs that end with all the labels of the validated FQDN” with separate DCV method before issuing a certificate. After the effective date, wildcard domain names cannot be validated using file based validation method.
DigiCert and Sectigo Will Roll Out Changes Before Time
DigiCert and Sectigo authorities, however, will start to roll out changes prior to the deadline date. It will make them understand that the process will run smoothly and there are no unexpected issues at the last moment. Both CAs will start to implement new change on Nov. 15, 2021.
It means the certificate issued before Nov. 15, 2021, will still work with the same Domain control validation methods. The certificate issued on or after Nov. 15, 2021, will have no file-based validation method for wildcard certificates; for a non-wildcard certificate, a customer will have to validate individual SAN domains/FQDNS while using the file validation method.
We can understand an exact scenario with the below example.
| Certificate & Domain Coverage | Validation Before Nov. 15, 2021 | Validation After Nov. 15, 2021 |
| A wildcard certificate for *.domain.com | The CA can validate the domain with all three validation methods (email, file based, CNAME). | File based validation method will not be applicable. Only CNAME/DNS and email validation methods will be applicable. |
| A certificate with SAN issue for domain.com and mail.domain.com | The CA can validate the domain with all three validation methods (email, file based, CNAME). | The CA can use either DNS or email validation OR complete file based validation method for individual SAN domain. |
What Customers Should Do Now?
If you have purchased a wildcard or multi domain wildcard SSL certificate from reseller, you can use DNS (CNAME) validation or email validation for wildcard SSL certificate validation process.
