What’s Changing?
Domain Control Validation (DCV) and CAA checks for publicly trusted TLS and S/MIME certificates must be performed using Multi-Perspective Issuance Corroboration, or “MPIC”.
Specifically, the following checks will be performed using MPIC:
-
DNS lookups for random values in support of domain validation
-
DNS lookups in support of CAA checking at the time of issuance
-
HTTP access to servers to obtain random value in support of the HTTP domain validation method
Why This Change?
In line with the CA/Browser Forum’s baseline requirements for issuing publicly trusted TLS and S/MIME certificates, GlobalSign is implementing this change to improve security and assurance in the domain control validation process.
MPIC was introduced to mitigate BGP hijacking, and similar attacks which could be leveraged to manipulate the results of domain lookups in support of domain validation or the CAA validation for issuance. As the name suggests, “Multi-Perspective Issuance Corroboration” means when a CA performs domain control validation (DCV), it must run these checks from multiple perspectives or from multiple, independent geographic network locations.
When Do These Changes Take Effect?
MPIC for Domain Validation and CAA Checks will be put into enforcement mode on September 9th, 2025.
How Does This Affect You?
There is no impact for issued certificates and most customers will not notice any changes. All requests for new (which includes renewals and reissues) publicly trusted TLS or S/MIME certificates will be performed using MPIC in enforcement mode. This means that each of the MPIC remote nodes as well as the primary node will all perform identical processing, and at least 4 of the 6 remote nodes must agree with the primary node or the checks will fail.
What Actions Need to be Taken?
Most organizations do not need to take any action; however organizations implementing allowlists and/or blocklists to restrict access to their systems from external IP addresses will need to ensure any network endpoints which are in-scope for validation checks will be permitted access. In support of this, we have published the list of IP addresses used by MPIC.
This support article provides guidance on how to interpret and resolve some of the most common CAA errors.
What Products Are Affected by This Change?
All publicly trusted TLS and S/MIME certificates
TLS Certificates on both Atlas and GCC:
- TLS DV, OV, EV and AlphaSSL
S/MIME Certificates:
- On Atlas – Secure Mail and Secure Mail Enterprise
- On GCC – PersonalSign 1, PersonalSign 2 Pro, Personal Sign 2 Department, Enterprise PKI Lite for Personal Digital ID, Enterprise PKI Lite for Department Digital ID, and Enterprise PKI Lite for S/MIME.
Mark Certificates:
- On GCC - Verified Mark Certificates