20170705 - Modification of DCV HTTP/HTTPS and DCV DNS challenges
On 20th July the DCV HTTP/HTTPS and DCV DNS validation methods will slightly evolve to remain compliant with BR1 requirements issued by the CA/B Forum.
What are the changes?
The validation file or the value of the CNAME parameter, which it was possible to re-use indefinitely (providing the CSR was not changed) will now have to be unique and different for each order.
The file and the DNS configuration will have to be replaced for each renewal, reissuance or new order whether or not the CSR has changed.
For HTTP(s) or CNAME DCV methods, each SAN must be validated.
Then, for standard offers including the root domain (secures with and without www.) the DCV validation will be done on both FQDNs. For www.domain.com:
- https://www.domain.com/.well-known/pki-validation/xxxx.txt
- https://domain.com/.well-known/pki-validation/xxxx.txt
- _xxxx.www.domain.com. CNAME yyyy.yyyy.zzz.comodoca.com.
- _xxxx.domain.com. CNAME yyyy.yyyy.zzz.comodoca.com.
How to get a unique file?
The file and the CNAME value are generated from a hash of the CSR, then several methods can be used to get a unique file.
- The most evident: generate a new CSR for each order
- If your CSR contains SANs you can modify their order or you can add an optional field to your CSR (such as challenge password)
- If you want to keep using your CSR you'll have to use a "UniqueValue": instead of hashing the CSR alone it will be hashed with that "UniqueValue" to create a unique hash result.
By default TBS INTERNET will use this solution and will generate a random "UniqueValue" and the corresponding validation file or CNAME value during the order: you'll only have to download install the file or configure your DNS with the value provided.
Note: TBS API users will be able to choose their "UniqueValue" which will have to be composed of 1 to 20 characters.
Which products are concerned?
All TBS X509, Sectigo and Positive SSLserver certificates.