Why File-Based Validation Cannot Be Used for Wildcard SSL Certificates

When ordering a Wildcard SSL Certificate, you may notice that file-based authentication is not available as a validation option. This limitation is not a technical oversight or a restriction imposed by Trustico® but rather an industry-wide requirement established by the Certificate Authority/Browser Forum (CA/B Forum).

This article explains the background behind this industry requirement, the security reasoning that led to its implementation, and the alternative validation methods available when ordering Wildcard SSL Certificates.

Understanding Domain Control Validation

Before a Certificate Authority (CA) can issue an SSL Certificate for your domain, you must prove that you actually control that domain. This verification process is called Domain Control Validation (DCV), and it serves as a fundamental security measure that prevents unauthorized parties from obtaining SSL Certificates for domains they do not own or control.

Domain Control Validation (DCV) has traditionally offered three methods for proving domain ownership. Each method demonstrates control in a different way, and until December 2021, all three methods were available for all types of SSL Certificates including Wildcard SSL Certificates.

E-Mail Validation

E-Mail validation is the most straightforward method. The Certificate Authority (CA) sends an approval e-mail to a specific address associated with your domain.

The address must be one of the predefined administrative addresses such as admin@, administrator@, webmaster@, hostmaster@, or postmaster@ at your domain. Clicking the approval link in this e-mail confirms your control over the domain.

File-Based Validation

File-based validation, also known as HTTP or HTTPS validation, requires you to upload a specific text file to a designated directory on your web server. The file must contain a unique validation code provided by the Certificate Authority (CA).

When the Certificate Authority (CA) can access this file at the expected location via automated methods, it confirms that you have sufficient control over the web server to modify its content. Learn more about File-Based Authentication for SSL Certificates 🔗

DNS Validation

DNS validation requires you to create a specific DNS record for your domain. Typically, this involves adding a CNAME or TXT record containing a unique validation string provided by the Certificate Authority (CA).

Because only someone with access to a domain's DNS configuration can create these records, this method demonstrates authoritative control over the entire domain namespace. Learn more about SSL Certificate Validation Procedures 🔗

Why File-Based Validation Cannot Be Used for Wildcard SSL Certificates

The CA/B Forum introduced Ballot SC45, known as the Wildcard Domain Validation ballot, which took effect on 1 December 2021. This ballot eliminated file-based validation as an option for Wildcard SSL Certificates across all Certificate Authorities (CAs) worldwide.

The change was not optional, but rather a mandatory requirement that all publicly trusted Certificate Authorities (CAs) must follow.

The Security Concern

The fundamental issue with file-based validation for Wildcard SSL Certificates relates to what the validation method actually proves. When you successfully complete file-based validation, you demonstrate control over a specific host and web service at a particular location. You prove that you can place a file on the web server responding to requests for that specific fully qualified domain name (FQDN).

However, a Wildcard SSL Certificate covers not just the base domain but all possible subdomains at that level. A Wildcard SSL Certificate for *.example.com would secure mail.example.com, shop.example.com, api.example.com, and any other subdomain someone might create.

The security concern is that controlling the web server for www.example.com does not necessarily mean you control every possible subdomain of example.com.

The Subdomain Hosting Problem

Consider a common scenario in large organizations where different departments or services manage their own subdomains. The marketing team might control www.example.com while the IT department manages mail.example.com and an external vendor hosts shop.example.com. Each subdomain could be hosted on entirely different servers, potentially in different data centers or even managed by different organizations.

Under the old rules, someone with access only to the www.example.com web server could complete file-based validation and obtain a Wildcard SSL Certificate covering all subdomains. This created a potential security vulnerability where a person without legitimate authority over the entire domain namespace could obtain an SSL Certificate that appears to secure it entirely.

Potential for Abuse

Malicious actors could potentially exploit this validation gap. If an attacker gained access to a single subdomain's web hosting, perhaps through a compromised shared hosting account or a vulnerable web application, they could theoretically use file-based validation to obtain a Wildcard SSL Certificate.

This SSL Certificate could then be used to impersonate other subdomains for phishing attacks or man-in-the-middle attacks, even subdomains the attacker never controlled.

The CA/B Forum determined that the security risk of allowing file-based validation for Wildcard SSL Certificates outweighed the convenience it provided. By requiring DNS or e-mail validation, the industry ensures that only parties with genuine control over the entire domain can obtain Wildcard SSL Certificates.

How DNS and E-Mail Validation Provide Better Security

Both DNS and e-mail validation methods demonstrate control at the domain level rather than at the individual host level. This distinction is crucial for Wildcard SSL Certificates because they inherently cover multiple hosts within a domain.

DNS Validation Proves Domain-Level Control

DNS records are managed at the domain level, typically through your domain registrar or a dedicated DNS hosting provider. Only someone with administrative access to your domain's DNS configuration can create the validation records required for DNS validation.

This access level inherently proves control over the entire domain namespace because the same DNS zone governs all subdomains.

When you create a DNS validation record for example.com, you are demonstrating access to the authoritative DNS configuration that controls example.com and all its subdomains. This makes DNS validation fundamentally more appropriate for Wildcard SSL Certificates than file validation ever was.

E-Mail Validation Uses Domain-Level Addresses

E-Mail validation requires receiving and acting upon an e-mail sent to an address that demonstrates domain-level authority.

The approved e-mail addresses such as admin@, administrator@, and postmaster@ are specifically chosen because they represent administrative control over the domain itself rather than a specific web service.

How This Affects Your Wildcard SSL Certificate Order

Ordering a Wildcard SSL Certificate from Trustico® will present validation options that include DNS validation and e-mail validation but will not include file validation. This applies to all Wildcard SSL Certificates regardless of the validation level, whether Domain Validation (DV), Organization Validation (OV), or Extended Validation (EV).

Choosing DNS Validation

DNS validation is often the preferred choice for technical users and organizations with straightforward access to their DNS management. After placing your order, you will receive specific DNS record information to add to your domain's DNS configuration.

Once the record propagates and the Certificate Authority (CA) verifies it, validation completes and your SSL Certificate can be issued.

The main advantage of DNS validation is that it works regardless of whether your web server is currently running or accessible. You can complete validation before your website is even built, making it ideal for new projects or server migrations.

Choosing E-Mail Validation

E-Mail validation suits organizations where DNS access is restricted or managed by a separate team but administrative e-mail addresses are readily accessible. The validation e-mail arrives quickly after order placement, and clicking the approval link completes the process almost instantly.

Ensure that the administrative e-mail address you intend to use is functional and that you can receive messages at that address before placing your order. Common issues arise when organizations have not configured their administrative e-mail addresses or when spam filters block validation e-mails. Explore our Domain Validation SSL Certificates 🔗

File-Based Validation for Non-Wildcard SSL Certificates

The CA/B Forum ballot specifically targeted Wildcard SSL Certificates, and file-based validation remains available for standard single-domain SSL Certificates. However, even for non-wildcard SSL Certificates, the same ballot introduced additional requirements that affect how file-based validation works.

Individual FQDN Validation Required

When using file-based validation for a Multi-Domain SSL Certificate that covers multiple fully qualified domain names, each FQDN must be validated individually.

Previously, validating the base domain could automatically validate subdomains as well. Under the current rules, if your Multi-Domain SSL Certificate covers example.com and www.example.com, you must complete separate file-based validation for each domain name.

This change ensures that file-based validation only proves control of the specific hosts where validation files are placed rather than implying broader control that may not exist. Learn more about Multi-Domain SSL Certificates 🔗

When File-Based Validation Makes Sense

File-based validation remains a practical choice for single-domain SSL Certificates when you have easy access to upload files to your web server but limited access to DNS management. Many web hosting control panels make file uploads straightforward while DNS changes may require contacting support or navigating unfamiliar interfaces.

For organizations using automated SSL Certificate management through ACME protocols, the HTTP-01 challenge type provides file-based validation for individual domains. This automation remains fully supported for non-wildcard SSL Certificates. Learn more about ACME Automated SSL Certificate Issuance 🔗

Preparing for Wildcard SSL Certificate Validation

Knowing that file-based validation is not available for Wildcard SSL Certificates allows you to prepare appropriately before placing your order. Taking a few minutes to verify your access to DNS management or administrative e-mail addresses prevents delays in SSL Certificate issuance.

Verify DNS Access

If you plan to use DNS validation, confirm that you can access your domain's DNS management interface. Log into your domain registrar or DNS hosting provider and verify that you can create new DNS records.

Familiarize yourself with where to add CNAME or TXT records so you can complete validation quickly once you receive the validation details.

If your organization uses a managed DNS service or if another team handles DNS changes, coordinate with them before placing your order. Knowing the typical turnaround time for DNS changes helps set realistic expectations for how quickly your Wildcard SSL Certificate can be issued.

Verify E-Mail Access

If you prefer e-mail validation, test that you can receive e-mail at one of the approved addresses before placing your order. Check your spam and junk folders as validation e-mails sometimes get filtered incorrectly.

Consider Your Ongoing Needs

Wildcard SSL Certificates require revalidation whenever you renew or reissue them. Consider which validation method will be most sustainable for your organization over time.

If DNS access is straightforward today but might become complicated due to organizational changes, e-mail validation might provide more consistent access. Conversely, if e-mail infrastructure is in flux, reliable DNS access might serve you better long-term.

Wildcard SSL Certificates from Trustico®

Trustico® offers a comprehensive range of Wildcard SSL Certificates that secure your primary domain and all subdomains with a single SSL Certificate. Our Wildcard SSL Certificates support both DNS and e-mail validation methods, ensuring you have flexible options that comply with industry requirements.

The validation process for Wildcard SSL Certificates through Trustico® is streamlined and well-documented. After placing your order, our system provides clear instructions for your chosen validation method. Our support team is available to assist if you encounter any difficulties during the validation process.

All Trustico® Wildcard SSL Certificates come from trusted Certificate Authorities (CAs) whose root SSL Certificates are pre-installed in all major browsers and operating systems. This ensures that your SSL Certificate will be recognized and trusted by virtually all visitors to your secured websites. Explore our Wildcard SSL Certificates 🔗

Frequently Asked Questions

Customers often have questions about file-based validation restrictions and how they affect Wildcard SSL Certificate orders.

Can I Use File-Based Validation If I Only Need to Secure a Few Subdomains?

No, the restriction applies to all Wildcard SSL Certificates regardless of how you intend to use them. If your SSL Certificate includes a wildcard entry such as *.example.com, file-based validation cannot be used.

If you only need to secure specific subdomains rather than all possible subdomains, consider a Multi-Domain SSL Certificate instead, which can use file-based validation for each individual domain.

Why Did This Change Happen?

The CA/B Forum, which governs standards for publicly trusted SSL Certificates, determined that file-based validation does not adequately demonstrate control over an entire domain namespace. Because Wildcard SSL Certificates cover all subdomains, the Forum concluded that validation must prove domain-level control rather than just control over a single web server.

Which Validation Method Is Faster?

E-Mail validation is typically the fastest method because it can complete within minutes of receiving and acting on the validation e-mail. DNS validation speed depends on DNS propagation times, which can range from a few minutes to several hours depending on your DNS provider and configuration.

Can I Switch Validation Methods After Placing My Order?

Yes, you can change your validation method at any time through the Trustico® SSL Certificate Tracking and Management system. Simply log in, locate your order, and select your preferred alternative validation method. The system will provide updated validation instructions for your new method immediately. Learn more about SSL Certificate Tracking and Management 🔗

What If I Cannot Access DNS or Administrative E-Mail?

If you genuinely cannot access either DNS management or an approved administrative e-mail address, you may need to work with your domain registrar or IT department to establish this access.

These are the only validation methods permitted for Wildcard SSL Certificates under current industry rules, and no Certificate Authority (CA) can issue a Wildcard SSL Certificate without completing one of these validation types.