If you’ve used WHOIS-based validation for your SSL/TLS certificates, it’s time to change to another validation method ASAP.
Changes are coming down the pike regarding WHOIS-based domain validation in the first half of 2025.
In August 2024, researchers at discovered a vulnerability relating to use of legacy WHOIS systems for domain control validation (DCV) that industry leaders were concerned could lead to fraudulent email-based validations for SSL/TLS certificates. Although the scope of the specific vulnerability was limited, it brought up questions about the industry’s reliance on certain legacy resources for validation.
Industry leaders will begin a phased elimination of WHOIS-based DCV methods. As a result, the WHOIS protocol or HTTPS server query data will no longer be used as a way to 1) identify domain contacts, or 2) verify an entity’s control over a domain.
Phase One: Jan. 15, 2025
Basically, CAs will be prohibited from relying on domain contact info gathered through manual or automated WHOIS lookup methods.
Phase Two: July 15, 2025
This is the date by which publicly trusted CAs MUST NOT rely on any WHOIS-related domain validation methods to issue new leaf certificates or allow prior authorization reuse (even during a valid reuse period).
What Does All of This Mean for Your Organization?
If You Don’t Use WHOIS Data for Domain Control Validation
If a method other than WHOIS web-based lookups was used to validate your domain— for example, DNS TXT records, file validation, or constructed email (e.g., administrator@domain.com) verification — then this has no impact on you or your certificates. You’re right as rain and you don’t have to worry about any of these changes.
If You Did Use WHOIS Data for Your Domain Control Validation Process
If you used WHOIS-listed email address to validate your domain when getting a website security certificate, you’ll need to change validation methods when requesting a new SSL/TLS certificate.
The easiest method for most customers will be to use one of the pre-approved validation email addresses:
- admin@yourdomain.com
- administrator@yourdomain.com
- webmaster@yourdomain.com
- hostmaster@yourdomain.com
- postmaster@yourdomain.com
Alternative methods of domain control validation include file and DNS-based validation methods:
- DNS TXT records
- DNS CNAME (canonical name) records that link an alias to one or more other domains
- HTTP file authentication
We offer wide range of certificates from major certificate authorities: RapidSSL, GeoTrust, Thawte, Sectigo, DigiCert.
You can buy a Certificate not only to protect any server or hosting that is provided by us, but for any other services/servers that you use from different providers. You can also order SSL installation service from us to get your Certificate installed correctly.