To improve the security and reliability of certificate issuance, the CA/Browser Forum made changes to the standard File and DNS-based Domain Validation (DV) procedures. Ballot 169 – Revised Validation Requirements was unanimously approved which requires CAs to adopt these new DV practices to stay in compliance.

Symantec recently informed about these changes with an extremely aggressive timetable.

Symantec/GeoTrust/Thawte/RapidSSL - The following changes apply to all DV SSL Certificates and Encryption Everywhere Certificates:

 

File-based Authentication – this option allows you to simply upload a file – which is given to you by the CA - to a specific directory on the server to verify domain control.

 

1. Record Type changed from .HTML to .TXT

2. Random String Value doubled from 32 to 64 characters

3. File URL Path changed from <http:// or https://><root.tld>/<random file name>.html to <http:// or https://><root.tld>/.well-known/pki-validation/fileauth.txt

4. File Auth Time Stamp changed from “Time of order submission +/- 24 hours” to “Order date minus 7 days”

5. Shared Key Generation Process changed from “HMAC with SHA1” to “HMAC with SHA2”

6. Order, Reissue, and Revoke APIs changed from code “returned in response” to “removed from response”

 

 

 

DNS-based Authentication – this option allows DNS managers to create domain records - using values given to you by the CA – to verify domain control.

 

1. Record Type changed from CNAME to TXT

2. Random String Value doubled from 32 to 64 characters

3. DNS Value Location changed from "s<random string>.domain.com" to "random string in TXT record"

 
 


Saturday, March 11, 2017

« Back