HTTP Domain Validation Method Policy Changes

Feb 19, 2024

HTTP Domain Validation Method Policy Changes

Overview

HTTP Domain Validation Method Prohibited for issuance of wildcard and subdomain SANs

  • Per Industry requirements, effective November 30th (Atlas customers) & November 28th (GCC Customers), GlobalSign will prohibit issuing wildcard or subdomain SAN certificates when the domain is validated via the HTTP Domain validation method.
    • Examples:
      • Prohibits issuance of *.example.com when example.com is validated via the HTTP Domain validation method.
      • Prohibits issuance of www.example.com when example.com is validated via the HTTP Domain validation method.
  • The HTTP Domain validation method may be used to validate the exact SAN.
    • Examples:
      • If you validate www.example.com with the HTTP domain validation method, then you can include www.example.com that in the SAN of the certificate.
      • If you validate example.com with HTTP domain validation method, then you can include example.com in the SAN of the certificate.
  • This policy applies to all publicly trusted TLS/SSL Certificates as well as GlobalSign's IntranetSSL product. 
  • Related Support Article: https://support.globalsign.com/ssl/ssl-certificates-life-cycle/upcoming-tls-domain-validation-changes-fall-2021

Impact

  • Once this policy change is effective, you will no longer be able to use prior domains validated via HTTP for issuing wildcard or subdomain SANs.
  • Note: Previously issued TLS/SSL certificates are not impacted unless they are reissued (including adding/removing SANs) and/or renewed.

Recommendations

Managed SSL (MSSL) Customers

Impact

Effective November 28th– you will no longer be able to use pre-vetted MSSL domains validated via HTTP for issuing wildcard or subdomain SANs. When submitting a new domain for MSSL pre-vetting, use the Email or DNS domain validation method which will allow you to order wildcard or subdomain SAN certificates after the domain has been validated.

If you attempt to issue a Certificate with SANs/ Wildcard for a Domain that was previously validated using the HTTP method – you will be prompted to revalidate your domain:

Before November 28, 2021

  • Delete and re- add impacted domains (domains pre-vetted via HTTP) and use the Email or DNS domain validation method to avoid issuance disruptions in the future.
  • Or if the Domain is expiring, click Renew and use a different validation method other than HTTP.

Starting November 28, 2021

  1. On the MSSL Dashboard click: Find & Report on Domains
  2. From the Domain List view the Column - Approved for issuing Wildcards & subdomains
  3. Domains listed labeled "No" - Click on the Domain and choose the "Re-validate" option. 
  4. Alternatively, renew the domain if it's up for renewal. Or remove/ add Domains as needed.

    image1.png

Retail and Partners

Impact

Effective November 28th - you will no longer be able to use prior domains validated via HTTP for issuing wildcard or subdomain SANs. 

Wildcard or SAN Certificates previously validated using HTTP Method:

  • Partner & Retail DV TLS - When attempting to reissue/add-delete SANs, the order will fail. Please open a support ticket for a replacement certificate: https://support.globalsign.com/customer/portal/emails/new
  • Partner & Retail OV / EV TLS - When attempting to reissue/add-delete SANs, you will need to re-validate the domains using the Domain Validation Page.

Atlas TLS (or API Issuance)

Impact

Effective November 30th (for Atlas customers), GlobalSign will prohibit issuing wildcard or subdomain SAN certificates when the domain is validated via the HTTP Domain validation method.

  • Examples:
    • Prohibits issuance of *.example.com when example.com is validated via the HTTP Domain validation method.
    • Prohibits issuance of www.example.com when example.com is validated via the HTTP Domain validation method.
  • The HTTP Domain validation method may be used to validate the exact SAN.
    • Examples:
      • If you validate www.example.com with the HTTP domain validation method, then you can include www.example.com that in the SAN of the certificate.
      • If you validate example.com with HTTP domain validation method, then you can include example.com in the SAN of the certificate.
  • This policy applies to all publicly trusted TLS/SSL Certificates as well as the GlobalSign's IntranetSSL products.
  • If you need to change the validation method from HTTP to something else, you may use the Reassert option.  For more information please see the GlobalSign Atlas API Guide.

Related Articles

GlobalSign System Alerts

View recent system alerts.

View Alerts

Atlas Discovery

Scan your endpoints to locate all of your Certificates.

Sign Up

SSL Configuration Test

Check your certificate installation for SSL issues and vulnerabilities.

Contact Support