SIGNIFLOW

Discover our signature platform: sign and request signature for your PDFs in a fex clicks!

JOIN OUR AFFILIATE NETWORK

Join our affiliate network
and become a local SSL expert
Learn more about our program

PRODUCTS TO DISCOVER

SSL certificates Invoice signature eIDAS certificates Signature software

Menu
picture of tbs certificates
picture of tbs certificates
Certificates
ALL CERTIFICATES
SSL Extended Validation SSL Standard eIDAS certificates SSL wildcard SSL Multiple sites / SAN Quick and Dirty SSL
Specific certificates SSL ECC VMC certificates
E-signature Strong authentication (mTLS) S/MIME certificates
Test certificates CLM Solutions Trust Seals
SigniFlow: the platform to sign and request signature for your documents
Signature software
Our products range
TBS X509 DigiCert Thawte Sectigo GlobalSign GeoTrust ChamberSign SigniFlow Harica
Partners
Client login Customer accounts Open an account
Support
TBS API TBSCertBot
SHA256: Browsers' compatibility ECC: Browsers' compatibility
FAQ
Focus
Invoices dematerialization
We now provide solutions compliant with RGS** and eIDAS qualified standards for invoices signature and time stamping. Further information


20250901 - MPIC in DCV and CAA controls

Starting September 1,  2025, MPIC will be enforced for the validation of multiple audit points of your SSL certificates.

What is MPIC?

MPIC, or Multi-Perspective Issuance Corroboration, is the use of multiple distinct network locations in different regions of the world to perform the same verification (DCV or CAA).

Why?

This measure, voted by the CA/B Forum, aims to strengthen the security of validations, particularly in the event of hacking of the BGP protocol or manipulation of DNS responses.

By controlling from multiple network perspectives, MPIC prevents a single attack from being sufficient: an attacker would have to compromise multiple remote locations in a coordinated manner.

How does it work?

For DCV, for example, this means that multiple network perspectives must return the same DNS record information or website file content for a given domain before it is considered validated and the certificate can be issued.

The principle is the same for CAA validation.

Concretely, an initial verification is carried out by the main network. It must then be confirmed by several other verifications coming from secondary networks.

What audit points are concerned?

  • DCV validation via DNS record (TXT or CNAME)
  • DCV validation via an address found in a DNS record
  • DCV validation by file to be placed on the site
  • CAA validation

How to prepare?

If you are using a firewall, a WAF, or any other network filtering system, you must ensure that certification authority validation connections are not blocked.

Add the IP addresses to your whitelist

GlobalSign

List of GlobalSign IPs used for MPIC:

  • 133.88.7.1
  • 133.88.7.2
  • 133.88.2.112/29
  • ap-southeast-2: 52.64.70.230/32
  • ca-central-1: 15.156.151.97/32
  • eu-central-1: 63.176.81.153/32
  • eu-north-1: 16.16.130.86/32
  • us-east-1: 18.205.30.124/32
  • us-west-1: 54.215.173.133/32

DigiCert

DigiCert recommends adding the user agent "DigiCert DCV Bot/1.1" to your whitelist.

This ensures protection in case new IP addresses are added, as it automatically includes all IPs used by MPIC agents.

List of DigiCert IPs currently used for MPIC:

  • 216.168.240.4
  • 216.168.247.9
  • 202.65.16.4
  • 54.185.245.130
  • 13.58.90.0
  • 52.17.48.104
  • 18.193.239.14
  • 54.227.165.213
  • 54.241.89.140
  • 216.168.240.4

Sectigo

Sectigo uses dynamic IPs for MPIC; therefore, the authority will not publish a list. It is recommended to add the user agent "Sectigo DCV" to your whitelist.

IPv6 support and MPIC validation

The introduction of MPIC broke support for IPv6-only environments for file-based validation (HTTP DCV).

In practice, this means that servers accessible only via IPv6 cannot be validated using the HTTP/HTTPS file method.

To date, none of our suppliers support file-based DCV validation on IPv6-only servers.

If your infrastructure only operates in IPv6, we recommend using another validation method (via DNS or email address).

Useful links