Changes in WHOIS-based SSL certificate validation: What you need to know in 2025?

13/02/2025 in SSL Articles, SSL News

Domain Ownership Verification (Domain Control Validation, DCV) is a crucial step in the process of issuing SSL/TLS certificates, regardless of their validation level (DV, OV, or EV).

For years, many DCV methods have relied on the WHOIS system, which provided contact information for domain owners. However, due to increasing security threats and evolving industry standards, WHOIS-based methods are gradually being phased out. In this article, we will discuss the reasons behind the upcoming changes, the timeline for their implementation, alternative validation methods, and the impact this change will have on the SSL certificate issuance process.

Traditionally, DV (Domain Validation) certificate validation relied, among other things, on obtaining contact information from the WHOIS registry. This allowed the Certificate Authority (CA) to automatically send a verification message to the email address retrieved from the WHOIS database – most commonly addresses such as webmaster@, admin@, or hostmaster@. While this method was popular due to its automation and speed, its effectiveness in today’s environment is increasingly in doubt.

Table of Contents

Why is WHOIS Being Phased Out?

Insufficient Data Currency – many WHOIS records contain outdated information, making reliable verification difficult.
Susceptibility to Abuse – fraudsters can manipulate WHOIS data to obtain certificates for domains they do not control.
Privacy Regulations – the introduction of GDPR and similar regulations has restricted the availability of public contact information in WHOIS, complicating its use in the DCV process.

These factors have led the CA/Browser Forum – the organization that standardizes certificate practices – to decide to completely phase out WHOIS methods by July 15, 2025.

Timeline of Changes

Key dates for administrators and organizations:

January 15, 2025 – End of support for WHOIS-based validation for .nl domains (Sectigo) and manual WHOIS queries (DigiCert).
May 8, 2025 – DigiCert will no longer accept new WHOIS validations.
June 15, 2025 – Sectigo will completely disable WHOIS support.
July 8, 2025 – DigiCert will cease reusing existing WHOIS validations.
July 15, 2025 – Final deadline for phasing out WHOIS for all Certificate Authorities (CAs).

This approach aims to minimize the risk of fraudulent domain validation and to increase the overall security level in the SSL certificate issuance process.

Impact of Changes on Certificate Authorities and Domain Owners

For companies issuing certificates (CAs) and website owners, the upcoming changes mean that validation procedures will need to be adjusted. In practice:

For CAs: It will be necessary to discontinue the use of automated scripts that retrieve WHOIS data and to implement validation mechanisms based on direct confirmation of domain control via email, DNS TXT records, or files placed on the server.
For domain owners: If previous certificate orders used WHOIS-based validation, you should prepare to switch validation methods for future issuances or renewals. The simplest solution will be to use verification through predefined email addresses or by adding the appropriate TXT record in the DNS zone.

Alternative Domain Validation Methods

To avoid disruptions in certificate operation, it is recommended to switch to the following methods:

Email Validation from Predefined Addresses

Addresses such as admin@domena.pl or webmaster@domena.pl are recognized as authorized.
The verification message is sent directly to these mailboxes, minimizing the risk of control being taken over by third parties.

DNS TXT Records

A unique TXT record provided by the CA is added to the domain’s DNS zone.
Example: _dns-challenge.example.com. IN TXT "ssl-verification=abc123def456"
This method is considered the most secure as it requires access to the DNS control panel.

File-Based Verification (HTTP/HTTPS)

A file containing a unique token is placed on the server at the path /.well-known/pki-validation/.
Example: http://example.com/.well-known/pki-validation/8593532A8FA01E6CEBB0B7E85E510D0F.txt
The file must be accessible via HTTP/HTTPS without redirects. This method is not available for Wildcard certificates.

Constructed Email Addresses

A new method in which the verification email address is generated based on DNS records (e.g., contact@domena.pl associated with a TXT record).

How to Prepare for the Changes?

Update Validation Processes – Review your existing certificates and ensure that new orders use methods other than WHOIS.
Monitor Deadlines – Keep track of the timelines set by individual CAs (e.g., DigiCert, Sectigo) and update your domains before key dates.
Team Education – Train administrators on the new DCV methods, especially in configuring DNS records and verification files.

The changes in WHOIS-based SSL certificate validation are not only a response to identified threats, but also part of a global trend toward increasing internet security. Phasing out methods based on WHOIS data, which are vulnerable to manipulation and limited by privacy regulations, forces a shift to more reliable validation methods – such as email, DNS, or file-based validation. Implementing these solutions from early 2025 will ensure that the SSL certificate issuance process is more resilient to attacks and complies with the latest security standards. By preparing for these changes, website owners and CAs should adjust their validation procedures now. This will not only enhance the security of their sites, but also boost user trust in their services, which is crucial in an era of increasingly stringent security standards.

Do you have questions about the above change? Contact our sales department for more information.