Menu

HTTP Domain Validation Method Policy Changes

Dec 11, 2025

HTTP Domain Validation Method Policy Changes

HTTP Domain Validation Method Prohibited for issuance of wildcard and subdomain SANs

  • Per Industry requirements, effective November 30, 2021 (Atlas customers) & November 28, 2021 (GCC Customers), GlobalSign will prohibit issuing wildcard or subdomain SAN certificates when the domain is validated via the HTTP Domain validation method.

    • Examples:

      • Prohibits issuance of *.example.com when example.com is validated via the HTTP Domain validation method.

      • Prohibits issuance of www.example.com when example.com is validated via the HTTP Domain validation method.

  • The HTTP Domain validation method may be used to validate the exact SAN.

    • Examples:

      • If you validate www.example.com with the HTTP domain validation method, then you can include www.example.com that in the SAN of the certificate.

      • If you validate example.com with HTTP domain validation method, then you can include example.com in the SAN of the certificate.

  • This policy applies to all publicly trusted TLS/SSL Certificates as well as GlobalSign's IntranetSSL product. 

  • Please refer to this article for more information.

Impact

  • Once this policy change is effective, you will no longer be able to use prior domains validated via HTTP for issuing wildcard or subdomain SANs
    Note: Previously issued TLS/SSL certificates are not impacted unless they are reissued (including adding/removing SANs) and/or renewed.

Recommendations

Managed SSL (MSSL) Customers

Impact

Effective November 28, 2021– you will no longer be able to use pre-vetted MSSL domains validated via HTTP for issuing wildcard or subdomain SANs. When submitting a new domain for MSSL pre-vetting, use the Email or DNS domain validation method which will allow you to order wildcard or subdomain SAN certificates after the domain has been validated.

If you attempt to issue a Certificate with SANs/ Wildcard for a Domain that was previously validated using the HTTP method – you will be prompted to revalidate your domain:

Before November 28, 2021

  • Delete and re- add impacted domains (domains pre-vetted via HTTP) and use the Email or DNS domain validation method to avoid issuance disruptions in the future.

  • Or if the Domain is expiring, click Renew and use a different validation method other than HTTP.

Starting November 28, 2021

  1. On the MSSL Dashboard click Find & Report on Domains.

  2. From the Domain List, view the Column Approved for issuing Wildcards & subdomains

  3. Domains listed labeled "No", click on the Domain and choose the "Re-validate" option. 

  4. Alternatively, renew the domain if it's up for renewal. Or remove/ add Domains as needed.

    image1.png

Retail and Partners

Impact

Effective November 28, 2021- you will no longer be able to use prior domains validated via HTTP for issuing wildcard or subdomain SANs. 

  • Once your order has been placed, you can visit the Domain Validation Page link provided in your order for details on domain validation and how to re-validate the domains using another method.

  • As you begin to renew domains, we encourage you to use a different method than HTTP.
  • Please view this support article for assistance.

Wildcard or SAN Certificates previously validated using HTTP Method:

  • Partner & Retail DV TLS - When attempting to reissue/add-delete SANs, the order will fail. Please open a support ticket for a replacement certificate: https://support.globalsign.com/customer/portal/emails/new
  • Partner & Retail OV / EV TLS - When attempting to reissue/add-delete SANs, you will need to re-validate the domains using the Domain Validation Page.

Atlas TLS (or API Issuance)

Impact

Effective November 30, 2021 (for Atlas customers), GlobalSign will prohibit issuing wildcard or subdomain SAN certificates when the domain is validated via the HTTP Domain validation method.

  • Examples:

    • Prohibits issuance of *.example.com when example.com is validated via the HTTP Domain validation method.

    • Prohibits issuance of www.example.com when example.com is validated via the HTTP Domain validation method.

  • The HTTP Domain validation method may be used to validate the exact SAN.

    • Examples:

      • If you validate www.example.com with the HTTP domain validation method, then you can include www.example.com that in the SAN of the certificate.

      • If you validate example.com with HTTP domain validation method, then you can include example.com in the SAN of the certificate.

  • This policy applies to all publicly trusted TLS/SSL Certificates as well as the GlobalSign's IntranetSSL products.

  • If you need to change the validation method from HTTP to something else, you may use the Reassert option.  For more information please see the GlobalSign Atlas API Guide.

Related Articles

DomainSSL Overview

Feb 28, 2020, 7:27 AM

Read More

OrganizationSSL Overview

Mar 2, 2020, 7:38 AM

Read More

Enhanced Certificate Details Overview

Aug 26, 2013, 12:35 PM

This section of the application is one of the most critical parts, as incorrectly entered details will require the application to be re-submitted and possibly re-signed by the certificate requestor if inaccuracies are discovered at a later stage.

Read More

GlobalSign System Alerts

View recent system alerts.

View Alerts

Atlas Discovery

Scan your endpoints to locate all of your Certificates.

Sign Up

SSL Configuration Test

Check your certificate installation for SSL issues and vulnerabilities.

Contact Support