Changes to Domain Validation Methods

Dear customers and partners,

We would like to draw your attention to upcoming changes to domain validation methods. On February 2, 2018, the CA/Browser Forum decided with Ballot 218 that from August 1, 2018, domain validation must no longer be performed using WHOIS registry validation. For all SSL certificates issued on or after August 1, 2018 a technical domain validation method must be used. For this reason, all Managed PKI customers must revalidate domains already registered with SwissSign by this date.

In order to meet the requirements of the CA/Browser Forum, SwissSign will activate an automatic domain validation for all SSL certificate requests as of June 30, 2018. To verify your access to the domain, a random value generated by our system (referred to below as <random value>) must be inserted in one of the following locations on your domain: 
 

TXT Check*
Into a text file with the following path: 
<domain>/.well-known/pki-validation/swisssign-check.txt  
The content of the text file must be formatted as follows:
<random value>

 

DNS entry
Into a TXT entry of the domain DNS zone: 
The content must be formatted as follows:
"swisssign-check=<random value>"

  

* Please note that no redirects are allowed for these methods.

 

The angle brackets <> at <random value> are for illustrative purposes only and must be omitted.

To offset the above changes and improve the domain validation process, we have improved the Managed PKI domain validation tool that will enable the MPKI customers to see all unlocked domains and their validation statuses at a glance. These changes will be implemented with release 4.12 (May 26, 2018). 

As part of the automatic procedure mentioned above, the system will be checking for 30 days whether the random value has been inserted at one of the three locations. As soon as one of these validations is successful, the domain will automatically be added to the list of domains permitted for certificates of your Managed PKI. For domains that have not yet been validated, the validation can be triggered by the customer directly. SwissSign will initiate validation for all pending domains in June 2018. Customers can then export and insert the generated random values via CSV file. 

 

For you as a SwissSign MPKI customer the following changes apply:

 

First-time validation

Both new and already registered domains must be validated using one of the methods described above. Already registered domains must be validated by 30 July 2018. Domains that have not been validated with one of the methods described above by July 31, 2018, will be removed by SwissSign from the corresponding MPKI setup on August 1, 2018. Customers using S/MIME certificates only are excluded from this regulation.

 

Revalidation

Please note that automatic revalidation for EV SSL certificates is required every 13 months. For domain and organisation certificates every 24 months.

 

For further information on the CA/Browser Forum Ballot 218, please click here.

Should you have any further questions, please do not hesitate to contact us by e-mail at [email protected].

  
Kind regards
Your SwissSign Team