File-Based Validation and Wildcard SSL Certificates
Robert KimShare
When you order a Wildcard SSL Certificate, the file-based validation option is not offered. This is not a Trustico® restriction or a technical limit, but an industry rule that applies to every Certificate Authority (CA). This guide explains the reason and the methods you use instead.
The rule comes from a defined industry procedure that took effect on 1 December 2021. It removed file-based validation for Wildcard SSL Certificates across all publicly trusted Certificate Authorities (CAs). Learn About SSL Certificate Validation 🔗
The Three Validation Methods
Before issuing an SSL Certificate, the Certificate Authority (CA) confirms you control the domain through Domain Control Validation (DCV). Three methods exist : an e-mail to a fixed role address, a file placed on the web server, and a Domain Name System (DNS) record.
The e-mail method sends a link or code to one of five addresses at the domain, namely admin, administrator, hostmaster, webmaster, or postmaster. The Domain Name System (DNS) method adds a CNAME or TXT record holding a supplied value, while the file method places a supplied file on the web server. Learn About File-Based Authentication 🔗
The Limit of a File-Based Check
A file proves control of one web server at one name. Placing a file for www.example.com shows control of that host, and nothing more about the wider domain.
A Wildcard SSL Certificate is different, because an entry of *.example.com covers every first-level subdomain, such as mail.example.com, shop.example.com, and any other. Proving control of a single host does not prove control of all of them.
In many organizations those subdomains sit on separate servers run by separate teams or vendors. Allowing a single-host file check to authorize a wildcard would let whoever controls one subdomain obtain an SSL Certificate covering them all, which is the gap the rule closes. Learn About Subdomain Security Risks 🔗
The Methods a Wildcard Uses Instead
A Wildcard SSL Certificate is validated with either the Domain Name System (DNS) method or the e-mail method, and both prove control at the domain level. A Domain Name System (DNS) record can only be added by someone with authority over the zone that governs every subdomain.
The e-mail method works the same way, since the five role addresses represent administrative control of the domain rather than one web service. Either method satisfies the rule for a Wildcard SSL Certificate, which is offered at Domain Validation (DV) and Organization Validation (OV). Discover Domain Validation (DV) Information 🔗
File-Based Validation for Single Names
The rule targets wildcards only, so file-based validation is still available for a single-name SSL Certificate. It suits a server where you can upload a file easily but cannot readily change Domain Name System (DNS) records.
On a Multi-Domain SSL Certificate, each name is validated on its own, so a file is placed for every Fully Qualified Domain Name (FQDN) the SSL Certificate covers. Automated issuance through the ACME protocol uses this same file method for single names. Learn About ACME Automation 🔗
Preparing to Validate a Wildcard
Knowing a file cannot be used lets you prepare the right way. If you will use the Domain Name System (DNS) method, confirm you can add a CNAME or TXT record in the zone before you order.
If you will use the e-mail method, confirm one of the five role addresses receives mail and that filters allow the message. The chosen method can also be switched later in the SSL Certificate Tracking and Management Tool. View the SSL Certificate Tracking and Management Tool 🔗
