Changes are due to CAB Forum Ballot 169 & CAB Forum Ballot 181
As of March 16th, 2017, Symantec officially rolled out its new changes to its certificate validation procedures. The new Symantec validation procedures mostly affect the DV class of SSL certificates, but also have a very minor effect on OV and EV. These changes were made to comply with the CAB Forum Ballot 169 and 181 changes that are upcoming.
This post is primarily for making sure all SSL resellers/sub-resellers and enterprise-level customers — anyone that uses Symantec, Thawte, GeoTrust and RapidSSL certificates, and orders these certificates through any SSL reseller that is hooked up to Symantec’s API or leverages Symantec’s API in any integration or plugin solution – are fully aware of the changes that took place overnight.
Those who buy and use certificates directly from an SSL reseller’s website/control panel may have noticed very subtle changes. The new Symantec Validation Procedures will not have a major impact on you if you are part of this category. Though, if you really love SSL and Web PKI like us, we encourage you to read on for the sake of curiosity.
This post covers two separate groups of changes:
1. Domain Validation (DV) Changes
The first group of changes are related to the validation of DV certificates. Specifically, small improvements were made to the file-based, and DNS methods of validation, and took effect late in the evening of March 15th.
The majority of these changes were security improvements related to the validation tokens and random strings used in these methods. If your Symantec portfolio certificate orders stem from Symantec’s API or you order directly from Symantec’s API, you will need to make sure your implementation has been updated to accommodate these changes. If you are an end-user confirming your certificate via email, you will notice no changes. However, if you are confirming your certificate via File or DNS-based methods, you may notice some changes to the process.
If you order directly via Symantec’s API, or your reseller’s API, you will also need to make sure that the system has complied with Symantec’s detailed announcement or your reseller’s detailed communication or you will not be able to received your certificate. There are too many changes to cover entirely here, but we will touch on a couple of the bigger changes to give you a quick idea of what happened:
- For DNS authentication, the record type changed from CNAME to a TXT record. The unique validation code entered into the record will be doubling to 64 characters, and the way this new code is derived uses more secure methods.
- File authentication switched from .html to .txt files. Instead of placing the file at the root of the FQDN, the file now must go into the “/.well-known/pki-validation/” folder, this is a new standardized method that gives domain owners the ability to have more control over the path that controls certificate validation.
2. Discontinued Validation Methods
The second group of changes went into effect on March 1st and resulted in two uncommon validation methods no longer being acceptable for Domain Control Validation (DCV) for OV and EV certificates. We expect this to affect very few users as these methods were rarely used. As of March 1st it was no longer possible to use a Professional Opinion Letters (POL) or Practical Demonstration for the domain validation process on any OV and EV SSL certificates.
However, the POL can still be used to satisfy other requirements of the OV/EV process. This really shouldn’t be that big of a deal because these methods were rarely used and the CAB Forum finally decided they were not reliable enough to use for domain validation going forward. If you are unfamiliar with these methods, then I wouldn’t worry, because these changes will have no effect on you.
Why Are These Changes Happening?
The Certificate Authority and Browser Forum (CAB Forum), which sets standard practices for certificate issuance, passed CAB Forum Ballot 169 and CAB Forums Ballot 181 which made changes to the validation methods used to confirm control of domain names.
All CAs, must adopt these new practices to stay in compliance. This will improve the security and reliability of the issuance process, which ultimately helps the entire SSL ecosystem and strengthens the guarantees of CA-issued certificates.
For the most part, these changes deal with small improvements to validation methods and increased the randomness of validation tokens. All API users, or anyone using automated methods for certificate ordering/issuance will need to make sure the specific changes were made and their system has been updated accordingly.
End-users should be largely unaffected by these changes as the overall process and methods they are used to are only changing slightly.
These are primarily small, yet meaningful changes that help formalize issuance practices, which the CAB Forum is continually improving and perfecting. While this post specifically addresses Symantec/Thawte/GeoTrust/RapidSSL, all CAs will eventually be required to make similar changes to meet new CAB Forum guidelines.
If you order through a reseller/sub-reseller API, the CA’s API, or think that the changes discussed above will impact your current business processes, please get in touch with your SSL provider immediately. If you sell Symantec’s GeoTrust, Thawte or RapidSSL certificates, these changes are not optional.
Original Article: https://www.thesslstore.com/blog/symantec-validation-procedures/ by Vincent Lynch