Feb 15, 2024

Upcoming TLS Domain Validation Changes – Fall 2021

Over the second half of 2021, two changes in domain validation policy will take effect, which may impact how you validate domains when issuing publicly trusted TLS Certificates. These policy changes apply to all new certificate requests, renewals, re-issues and pre-validated domains. These changes will have NO IMPACT on TLS/SSL Certificates that have already been issued.

Domain revalidation will be required every 397 days instead of every 825 days

Over the past several years, there has been a concerted effort on the part of the CA/Browser Forum and various Root Programs to reduce the maximum validity of publicly-trusted Certificates. The most recent reduction came last year when TLS Certificates were limited to just 397 days of validity.

This is good for security, information becomes less reliable the further it gets from its validation date. Additionally, longer certificate lifespans limit crypto-agility and make it harder to roll out changes and updates. Plus, it encourages automating certificate lifecycle management, which eliminates the burdens historically associated with shorter validity and more certificate rotation.

However, the most recent reduction to max validity only reduced the lifespan of the Certificate itself, CAs and customers were still allowed to re-use validation information for 825 days. In September, the maximum time a domain validation lasts for will be 397 days, aligning with the maximum validity of Certificates. In many ways, this is just part two of last year's change.

GlobalSign will implement the changes on September 27, 2021.

What you need to do:

Managed SSL (MSSL):

• Perform domain validation more frequently
  
  Domain validation will expire every 397 days and disrupt certificate requests, renewals, and reissues if the domains are not re-validated, so please keep track of your expiration dates and renew them ahead of time.
• Review your MSSL pre-validated domains now
  
  Any domains validated prior to (397 days prior to 30 Sept 2021) have had their expiration dates been set to September 30, so you should monitor that in your MSSL account and be sure to renew them well in advance.

Retail and Partners:

• Starting September 27th as part of order fulfillment, you will need to re-validate domains that were validated more than 397 days ago. Any orders that were placed prior to this date but not yet issued will need to have their domains validated in accordance with the new rules.

Issuance of wildcard and subdomain SANs will be prohibited for domains validated via the HTTP method

Starting in November, issuance of wildcard SANs or subdomains of domains validated using the HTTP domain validation method will be prohibited for wildcard Certificates. Additionally, when that DV method is used for non-wildcard Certificates, domain validation will be required for every individual SAN/fully qualified domain name (FQDN).

GlobalSign will implement the changes on November 29, 2021.

What you need to do:

Managed SSL (MSSL):

• In your MSSL account you will see an indication of which domains used the HTTP method and those will no longer be useable for issuance of wildcard or subdomains moving forward.  In preparation for the change, we suggest you take one of the following actions:
  • Re-validate the domains with a method other than HTTP.
  • If you want to continue to use the HTTP method, you now must validate each individual subdomain. 
    Note: You cannot continue using this method to issue Wildcard Certificates.

Retail and Partners:

• Once released in November, you will no longer be able to use prior domains validated via HTTP for wildcard or subdomains.  Once your order has been placed, you can visit the Domain Validation Page link provided in your order for details on domain validation and how to take applicable actions to validate the domains.

For more information on these upcoming changes, please view this blog post.