In Focus Security Trust and identity

Validation Changes Coming for TCS

Sectigo, our partner for delivering certificates as part of the Trusted Certificate Service, have announced that they are changing the permitted approaches for domain validation within TCS.  This change is mandatory in the industry as a result of policy changes implemented by the CA/B Forum and will be enforced from the 15th November 2021.

What Are The Changes?

TCS currently offers three different approaches to support domain validation.  Domain validation allows the Certificate Authority to ensure that you are the rightful owner of the domain for which you request certificates.  The approaches are:

  • http / https validation or file-based validation, where the domain owner uploads a file to the domain containing a unique identifier given to the certificate applicant by the Certificate Authority (CA).
  • email validation, where an email is sent to specific email types associated with a domain (e.g. admin@yourdomain.com).
  • CNAME hashing, which creates a unique CNAME record that points back to the Certificate Authority.

From 15th November 2021 file-based domain validation will only be permitted for a Fully Qualified Domain Name; validation will need to be undertaken for each sub-domain and wildcard or multi-domain certificates will not be issued.  No currently issued certificates will be affected or revoked

Wildcard and multi-domain certificates can still be issued via email or CNAME validation.

What Should I Do?

GÉANT has informed the service owners for TCS in each NREN and we are working with NRENs to identify organisations that may be impacted.  If you do currently rely on file-based validation we encourage you to look at ensuring you have the appropriate mechanisms to use either email validation or CNAME hashing.  We also strongly encourage all organisations to make themselves aware of the automation possibilities (such as ACME) due to the ongoing changes within the industry related to certificate issuance.  Training material from a recent webinar on ACME is available on the TCS wiki.

Where Can I Get Support?

Organisations should reach out to their NRENs in the first instance.  If you do not know who to speak to at your local NREN, please reach out to the TCS Service Owner and we will help you make contact.

Is the Date Flexible?

Sectigo are required to follow the policy implemented by the CA/B Forum and must meet this date for compliance purposes.