CertCenter Developer Hub

Welcome to the new CertCenter developer hub. You'll find comprehensive guides and documentation to help you start working with CertCenter as quickly as possible, as well as support if you get stuck.

Let's jump right in!

Get Started Reference

URGENT: Domain Validation Changes that Impact Partners

The Certification Authority Browser Forum (CA/Browser Forum), is moving towards a standard set of clearly-defined domain validation processes.

In preparation for these updates, Symantec is making changes to its domain validation procedures. The changes will apply to DV, OV, and EV SSL/TLS certificates and will take effect on March, 15th. 2017.

Between now and the middle of March, Symantec will be updating their FILE, DNS and WHOIS authentication methods available throughout APIs These changes will impact all DV SSL/TLS products across all their brands.

Their EV, OV, and Ready Issuance products will also be subject to domain validation policy changes. In practice, this will mean that Symantec will no longer be supporting Professional Opinion Letters (POL) and practical demonstrations to approve domain names.

As a CertCenter partner, you will be required to make the following changes:

  • Modify your SOAP and REST APIs. In particular, you will need to amend your DNS and File Authentication workflows.
  • Ensure your API updates are ready for production on March, 15th 2017.

As the changes are aimed at supporting industry guidelines and best security practices, it is not possible for us to provide an extension to the dates. Please note that there will be no transition period, and starting March, 15th 2017, CertCenter will only support the updated API implementations and domain validation processes. The changes are mandatory, and failure to implement them risks breaking existing API implementations.

Timeline of changes

CertCenter will be implementing these changes to support the new domain validation procedures in our production environment on March, 15th 2017.

What is changing?

Updates to DNS, File and WHOIS Authentication Methods

By industry guidelines, Symantec is making several updates to the way that we authenticate domain validated SSL products via DNS, FILE, and WHOIS.

DNS Authentication

  • The DNS record type changes from CNAME to TXT. In the future, you need to create a TXT record instead of a CNAME record to get a proper validation. Plus the hash format will change a little bit from s<random string>.example.com to just <random string>

FILE Authentication

  • The file path and extension is changing from http://<domain>/<random file name>.html to http://<domain>/.well-known/pki-validation/fileauth.txt

mod_fauth changes

We've already adopted this changes to the Apache module (mod_fauth). Please update to the most current version, if you're using mod_fauth. You can update asap as mod_fauth now supports both versions of Symantec's FILE authentication.

WHOIS Authentication

  • The unique link within the approval email will have increased entropy and a reduced validity time.

Which domain authentication policies are changing?

EV, OV, and ReadyIssuance products

Today Symantec makes use of the following domain validation options when the standard methods have not sufficed:

  • Professional Opinion Letters (POL)
  • Practical demonstration

As of March, 1st 2017, Symantec will no longer support these authentication methods.
To offset the above changes and to improve efficiency in the EV, OV, and Ready Issuance domain authentication process, Symantec is implementing an online domain authorization workflow similar to that of DV. Whereby a domain contact (e.g. a WHOIS contact) will follow a link to authorize a domain name's use in the SSL/TLS certificate in question.

Orders that are enrolled before March, 15th where one of the above methods was used, and the order is pending issuance, will have to follow an alternative process to authenticate their domain name. Any domains included as part of Ready Issuance orders that were fulfilled using the above domain authentication methods will be invalidated on or after March, 15th, 2017.

We'll update our documentation within the next few days, correspondingly.

Changelog

improved
DNS pointer type becomes TXT (previously CNAME)
improved
FILE authentication path changes from /random-path.html to /.well-known/pki-validation/fileauth.txt
improved
CAs to discontinue POL and Practical Demonstration