From August 19th 2020, SECTIGO issues SSL certificates with a maximum lifetime of 398 days (13 months) as specified by CA/Browser consortium. SSL certificates with a longer lifetime must be re-issued annually (free of charge). You'll receive reminders via e-mail. SSL certificates issued before August 19th 2020 remain valid until their planned expiry date. Code Signing & S/MIME certificates are not affected and remain valid until their planned expiry date.
To improve the security and reliability of certificate issuance, the CA/Browser Forum made changes to the standard File and DNS-based Domain Validation (DV) procedures. Ballot 169 – Revised Validation Requirements was unanimously approved which requires CAs to adopt these new DV practices to stay in compliance.

Symantec recently informed about these changes with an extremely aggressive timetable.

Symantec/GeoTrust/Thawte/RapidSSL - The following changes apply to all DV SSL Certificates and Encryption Everywhere Certificates:

 

File-based Authentication – this option allows you to simply upload a file – which is given to you by the CA - to a specific directory on the server to verify domain control.

 

1. Record Type changed from .HTML to .TXT

2. Random String Value doubled from 32 to 64 characters

3. File URL Path changed from <http:// or https://><root.tld>/<random file name>.html to <http:// or https://><root.tld>/.well-known/pki-validation/fileauth.txt

4. File Auth Time Stamp changed from “Time of order submission +/- 24 hours” to “Order date minus 7 days”

5. Shared Key Generation Process changed from “HMAC with SHA1” to “HMAC with SHA2”

6. Order, Reissue, and Revoke APIs changed from code “returned in response” to “removed from response”

 

 

 

DNS-based Authentication – this option allows DNS managers to create domain records - using values given to you by the CA – to verify domain control.

 

1. Record Type changed from CNAME to TXT

2. Random String Value doubled from 32 to 64 characters

3. DNS Value Location changed from "s<random string>.domain.com" to "random string in TXT record"

 
 


Saturday, March 11, 2017

« Back