Feb 19, 2024

HTTP Domain Validation Method Policy Changes

Overview

HTTP Domain Validation Method Prohibited for issuance of wildcard and subdomain SANs

• Per Industry requirements, effective November 30th (Atlas customers) & November 28th (GCC Customers), GlobalSign will prohibit issuing wildcard or subdomain SAN certificates when the domain is validated via the HTTP Domain validation method.
  • Examples:
    • Prohibits issuance of *.example.com when example.com is validated via the HTTP Domain validation method.
    • Prohibits issuance of www.example.com when example.com is validated via the HTTP Domain validation method.
• The HTTP Domain validation method may be used to validate the exact SAN.
  • Examples:
    • If you validate www.example.com with the HTTP domain validation method, then you can include www.example.com that in the SAN of the certificate.
    • If you validate example.com with HTTP domain validation method, then you can include example.com in the SAN of the certificate.
• This policy applies to all publicly trusted TLS/SSL Certificates as well as GlobalSign's IntranetSSL product. 
• Related Support Article: https://support.globalsign.com/ssl/ssl-certificates-life-cycle/upcoming-tls-domain-validation-changes-fall-2021

Impact

• Once this policy change is effective, you will no longer be able to use prior domains validated via HTTP for issuing wildcard or subdomain SANs.
• Note: Previously issued TLS/SSL certificates are not impacted unless they are reissued (including adding/removing SANs) and/or renewed.

Recommendations

• Use an alternative domain validation method for wildcard certificates, instead of the HTTP Method.
  • Managed SSL (MSSL) Domain Validation Methods 
  • Partner / Retail OV & EV Domain Validation Process
• If you want to continue to use the HTTP method, make process changes to validate each individual subdomain (including the free "non- www" SAN option)
• See additional guidance by product type below

Managed SSL (MSSL) Customers

Impact

Effective November 28th– you will no longer be able to use pre-vetted MSSL domains validated via HTTP for issuing wildcard or subdomain SANs. When submitting a new domain for MSSL pre-vetting, use the Email or DNS domain validation method which will allow you to order wildcard or subdomain SAN certificates after the domain has been validated.

If you attempt to issue a Certificate with SANs/ Wildcard for a Domain that was previously validated using the HTTP method – you will be prompted to revalidate your domain:

Before November 28, 2021

• Delete and re- add impacted domains (domains pre-vetted via HTTP) and use the Email or DNS domain validation method to avoid issuance disruptions in the future.
• Or if the Domain is expiring, click Renew and use a different validation method other than HTTP.

Starting November 28, 2021

1. On the MSSL Dashboard click: Find & Report on Domains
2. From the Domain List view the Column - Approved for issuing Wildcards & subdomains
3. Domains listed labeled "No" - Click on the Domain and choose the "Re-validate" option. 
4. Alternatively, renew the domain if it's up for renewal. Or remove/ add Domains as needed.
   
   

Retail and Partners

Impact

Effective November 28th - you will no longer be able to use prior domains validated via HTTP for issuing wildcard or subdomain SANs. 

• Once your order has been placed, you can visit the Domain Validation Page link provided in your order for details on domain validation and how to re-validate the domains using another method.
• As you begin to renew domains, we encourage you to use a different method than HTTP.
• Please view this support article for assistance:  
  https://support.globalsign.com/ssl/ssl-certificates-life-cycle/improved-domain-validation-process-globalsign-ovev-tls-certificates

Wildcard or SAN Certificates previously validated using HTTP Method:

• Partner & Retail DV TLS - When attempting to reissue/add-delete SANs, the order will fail. Please open a support ticket for a replacement certificate: https://support.globalsign.com/customer/portal/emails/new
• Partner & Retail OV / EV TLS - When attempting to reissue/add-delete SANs, you will need to re-validate the domains using the Domain Validation Page.

Atlas TLS (or API Issuance)

Impact

Effective November 30th (for Atlas customers), GlobalSign will prohibit issuing wildcard or subdomain SAN certificates when the domain is validated via the HTTP Domain validation method.

• Examples:
  • Prohibits issuance of *.example.com when example.com is validated via the HTTP Domain validation method.
  • Prohibits issuance of www.example.com when example.com is validated via the HTTP Domain validation method.
• The HTTP Domain validation method may be used to validate the exact SAN.
  • Examples:
    • If you validate www.example.com with the HTTP domain validation method, then you can include www.example.com that in the SAN of the certificate.
    • If you validate example.com with HTTP domain validation method, then you can include example.com in the SAN of the certificate.
• This policy applies to all publicly trusted TLS/SSL Certificates as well as the GlobalSign's IntranetSSL products.
• If you need to change the validation method from HTTP to something else, you may use the Reassert option.  For more information please see the GlobalSign Atlas API Guide.