In verification for SSL certificates there are two parts: 1) verifying the organization and 2) making sure that the organization has control over the target domain. Previously the latter was typically confirmed by looking at the WHOIS information. If the organization owned the target domain, that was sufficient. This method was declined by CA Browser Forum in spring 2018. At the same time, GDPR compliance caused some issues with the use of Method 2 where the email address found in the WHOIS record for the domain name was no longer provided. This meant that we could no longer use this information to contact the domain name registrant to confirm authorization to issue a certificate with the requested domain name.
GDPR brought challenges to domain verification by email. Email addresses were removed from the WHOIS and the customers were no longer able to use those addresses for verification. The email method was basically limited to using the generic addresses such as admin-, administrator-, hostmaster-, postmaster- and webmaster. Many organizations do not have these addresses in use and the usage of email verification decreased heavily.
CA Browser Forum has accepted two new methods for domain verification in May, 2019. These methods are providing customers more possibilities to domain verification.
Email to DNS TXT Contact
You can add the preferred email address to the DNS TXT records for using the email verification method. This email address can be used as the recipient of the verification emails in the future.
The DNS TXT record MUST be placed on the “_validation-contactemail” subdomain of the domain being validated.
- Must use the DNS TXT record type
- Must create the DNS record under the _validation-contactemail.
- For example, for testcertificates.com, the DNS TXT record should be created under _validation-contactemail.testcertificates.com
This is an example of what the customer would configure in a DNS TXT resource record in systems such as nslookup ja G Suite Dig:
Email to DNS CAA Contact
Method 13 is a domain validation method that allows a customer to list an email address in a CAA record, similar to how a contact email address could be listed in WHOIS.
Here is an example for the CAA record using domain name example.com
- $ORIGIN example.com
- CAA 0 contactemail firstname.lastname@example.org
Requirements for DNS CAA contact:
- The customer must use the CAA DNS record type
- The customer must use the contactemail tag
These new methods are related to Email verification. When the email address has been added in correct format to the DNS, the ECS portal (Entrust Certificate Services portal ) will automatically recognize the address and offers it as a method for email verification.
What’s the benefit for me?
Each email MAY confirm control of multiple domains, provided that each email address is a DNS CAA Email Contact or DNS TXT Email Contact for each Authorization Domain Name being validated.
If you are adding several domains or making re-verification for many domains, you will be able to use the same email address during bulk domain verification (both new and re-verification). In this case, you will receive only one email which allows you to verify several domains at the same time.
How to get the new method in use?
These new methods are not yet automatically in use. To use this method you will need to send an email to verification (at) wesentra.com requesting to enable this method.
If you need further information or help with these new methods, please, contact us: verification (at) wesentra.com or support (at) wesentra.com.
You can find help help on different platforms from Entrust’s Support Site: