The Certification Authority Browser Forum (CA/Browser Forum), is moving towards a standard set of clearly-defined domain validation processes.
In preparation for these updates, Symantec is making changes to its domain validation procedures. The changes will apply to DV, OV, and EV SSL/TLS certificates and will take effect on March, 15th. 2017.
Between now and the middle of March, Symantec will be updating their FILE, DNS and WHOIS authentication methods available throughout APIs These changes will impact all DV SSL/TLS products across all their brands.
Their EV, OV, and Ready Issuance products will also be subject to domain validation policy changes. In practice, this will mean that Symantec will no longer be supporting Professional Opinion Letters (POL) and practical demonstrations to approve domain names.
As a CertCenter partner, you will be required to make the following changes:
- Modify your SOAP and REST APIs. In particular, you will need to amend your DNS and File Authentication workflows.
- Ensure your API updates are ready for production on March, 15th 2017.
As the changes are aimed at supporting industry guidelines and best security practices, it is not possible for us to provide an extension to the dates. Please note that there will be no transition period, and starting March, 15th 2017, CertCenter will only support the updated API implementations and domain validation processes. The changes are mandatory, and failure to implement them risks breaking existing API implementations.
CertCenter will be implementing these changes to support the new domain validation procedures in our production environment on March, 15th 2017.
By industry guidelines, Symantec is making several updates to the way that we authenticate domain validated SSL products via DNS, FILE, and WHOIS.
- The DNS record type changes from CNAME to TXT. In the future, you need to create a TXT record instead of a CNAME record to get a proper validation. Plus the hash format will change a little bit from s<random string>.example.com to just <random string>
- The file path and extension is changing from http://<domain>/<random file name>.html to http://<domain>/.well-known/pki-validation/fileauth.txt
- The unique link within the approval email will have increased entropy and a reduced validity time.
EV, OV, and ReadyIssuance products
Today Symantec makes use of the following domain validation options when the standard methods have not sufficed:
- Professional Opinion Letters (POL)
- Practical demonstration
As of March, 1st 2017, Symantec will no longer support these authentication methods.
To offset the above changes and to improve efficiency in the EV, OV, and Ready Issuance domain authentication process, Symantec is implementing an online domain authorization workflow similar to that of DV. Whereby a domain contact (e.g. a WHOIS contact) will follow a link to authorize a domain name's use in the SSL/TLS certificate in question.
Orders that are enrolled before March, 15th where one of the above methods was used, and the order is pending issuance, will have to follow an alternative process to authenticate their domain name. Any domains included as part of Ready Issuance orders that were fulfilled using the above domain authentication methods will be invalidated on or after March, 15th, 2017.
We'll update our documentation within the next few days, correspondingly.