CA Browser Forum 05-12-2021

Upcoming Industry Standard Changes to Domain Validation Emphasize Need for Modern Certificate Management Solutions

Jeremy Rowley

There are two domain validation policy changes expected to come before the end of this year that may affect how you validate your website information for certificate requests and prevalidated domains. We recommend that customers review when their domains expire and prepare for the changes this summer.

Domain revalidation to be required every 398 days

First, Mozilla and the CA/Browser Forum recently modified the reuse period for domain validation from 825 days to 398 days. This matches the change made last year to certificate validity periods. The change does not impact previously issued certificates but will impact any customer issuing a new certificate or rekeying or modifying a previously issued certificate where the validation information is older than 398 days. This change will apply to new requests, renewals and reissues for all TLS/SSL certificates. The change may also impact S/MIME certificates using domain validation rather than email-based verification.

Don’t wait to revalidate

While customers have several months to prepare for the change, we don’t recommend waiting until September to get started. Enterprises using pre-validated domain information should submit the information for revalidation before October to avoid unnecessary interruptions in automated certificate deployment. Note that EV certificates already require annual reverification, and, as such, are not impacted by this modification.

Domain control validation (DCV) methods may change

We suggest that customers revalidate domains in August using a DNS method to prepare for the change. When revalidating prior to October, customers should review what DCV options they are currently using, because with additional industry changes, they may need to move to alternative DCV methods like DNS-based validation methods. This will ensure that domains are valid through the changes and provide the longest available timeframe before they will need to be revalidated.

What is DigiCert’s stance?

DigiCert will no longer reuse validated domain information longer than 398 days and will require revalidation every 13 months starting Oct. 1, 2021. We recommend that customers set up a long-term strategy for domain reauthentication to ensure validation continuity.

It’s never been more important to stay on top of your certificate management, and as we’ve mentioned before, the old way of spreadsheets and notifications is no longer viable to keep up with industry changes and compliance demands. That is why we are working harder than ever behind the scenes to give you a better understanding of your validation snapshot. Log in to your DigiCert CertCentral® account today and navigate to the Domains page to review your domains, check on validation expiration dates and even trigger re-validation now in case you need a new certificate tomorrow. Combine your validation readiness with our Automation suite to ensure that you never experience downtime when uptime is critical.

About DigiCert’s solutions in CertCentral®

CertCentral manages all TLS certificates throughout the certificate lifestyle. The award-winning platform features a rich automation suite, continuous updates and an API-based development structure for easy implementation into popular platforms and systems like ServiceNow.

With CertCentral, you can also take advantage of additional features to simplify certificate management, such as:

  • Multi-Year Plans. Within CertCentral, and through authorized DigiCert partners, you can purchase a Multi-year Plan of up to six years of coverage for TLS certificates. A Multi-year Plan eliminates the need for annual per-certificate purchases and provides a service period of up to six years, during which time you may reissue and renew certificates as often as needed. You can also lock in pricing discounts for succeeding years. Note that, with the change to validation, even customers using pre-validated certificate information will still need to submit a new domain validation request once a year.
  • Automation. We recently unveiled DigiCert® Automation Manager, which is built for on-premises automation of your certificate lifecycle. Automation Manager is available in DigiCert ONE™ and is a containerized enterprise solution for secure, high-volume TLS certificate automation behind the firewall. Plus, it is compatible with Automation Wizard, an intelligent tool that can guide administrators to select the right automation solutions for their needs. You can read more about how Automation Manager works in another blog and sign up for a demo here.

Current DigiCert customers can visit CertCentral to review when their domains expire and prepare to maintain validation. Additionally, feel free to reach out to your DigiCert account representative if you have further questions.


3 Surprising Uses of PKI in Big Companies and How to Ensure They Are all Secure

5 Min

Featured Stories


Pioneering the next wave of secure digital solutions 

The challenges of achieving crypto-agility for private keys


DigiCert named CRN 5-Star Program Winner for 2024

Celebrating high praise from the most trusted news source in IT