On March 15, 2025, SSL.com implemented MPIC as mandated by the CA/Browser Forum’s Server Certificate Working Group (SC-067), with partial enforcement. The purpose of MPIC is to enhance the security and trustworthiness of digital certificates by requiring validations of domain information and verification of CA Authorization (CAA) records from multiple Internet network perspectives.
On September 2, 2025, SSL.com will fully enact MPIC enforcement, and certificates will no longer be issued if the remote validation checks cannot corroborate the primary validation results. The MPIC update will take effect industry-wide on September 15, 2025.
What is MPIC?
MPIC requires that Certificate Authorities (CAs) perform domain validation and CAA checks from multiple geographically and topographically distinct network points. This additional layer of security helps detect and prevent potential attacks where an attacker manipulates Domain Name System (DNS) responses, Border Gateway Protocol (BGP) hacking, or other network configurations to fraudulently obtain certificates.
Quorum Requirements
The CA/B Forum specifies the number of positive responses to a validation check as a quorum. The requirements start with one positive response and then increase to ensure that the negative responses never exceed the positives.
For the latest information on quorum requirements, visit the CA/Browser Forum’s Baseline Requirements, specifically Ballot SC-067.
Impact for Customers of Public Certificate Authorities
Customers of Public CAs should not need to make any changes to prepare for this change. Customers may notice these changes:
- Enhanced Security: The likelihood of unauthorized certificate issuance is reduced.
- Potential Validation Delays: The additional checks could introduce slight delays.
- Increased Transparency: Details of the validation process will be provided for review and auditing.
- No Action Required: Generally, no action is required on the customer’s side. Customers should ensure that their DNS configurations are healthy and accessible from various network locations to facilitate efficient validation.
Troubleshooting Common MPIC Validation Issues
While most customers won’t encounter problems when we deploy MPIC, some specific network configurations can cause validation challenges. Here are quick solutions for the most common issues:
Web Server Behind Firewall: If your web server is behind a firewall or load balancer that blocks connections from remote perspectives, you’ll need to allowlist the IP ranges used by Certificate Authorities for validation. However, it should be noted that most major web browsers have previously stated that servers behind a firewall should not use publicly trusted certificates, since the CA/Browser Forum TLS Baseline Requirements are scoped only to address certificates that are used for authenticating servers accessible through the Internet.
Contact your certificate administrator to get the current list of validation IP addresses and configure your firewall rules accordingly. Alternatively, consider temporarily opening port 80 during the validation process if your security policies permit. It is recommended to switch to a private PKI if your policies don’t allow port 80/433 to be accessible to the public Internet.
Restricted Name Server Access: Some DNS providers or internal name servers are configured to reject queries from specific geographic regions or IP ranges. This can cause the validation process to fail when our remote perspectives attempt to verify your domain ownership.
Work with your DNS administrator to ensure that your authoritative name servers can respond to queries from a global audience; alternatively, consider using a DNS provider that supports worldwide accessibility.
Geoblocking and CDN Issues: Content delivery networks and geoblocking services sometimes interfere with multi-perspective validation. If you’re using these services, create exceptions for certificate validation traffic. Your CDN provider can also help ensure that validation endpoints remain accessible from all network perspectives.
Preparing for MPIC: Best Practices for Certificate Administrators
As a certificate manager or PKI administrator, taking proactive steps now will ensure a smooth transition once MPIC becomes fully enforced. Here’s how to prepare your infrastructure:
Audit Your DNS Infrastructure: Test your domain resolution from multiple geographic locations using tools like DNS checker websites. Ensure your DNS records have appropriate TTL values that strike a balance between performance and the flexibility required during certificate renewals.
Document Your Network Architecture: Create a clear map of your network infrastructure, including firewalls, load balancers, and any geographic restrictions. Share this documentation with your Certificate Authority to help troubleshoot any validation issues that may arise during the transition period.
Establish Monitoring and Alerting: Set up monitoring for your certificate validation endpoints and DNS infrastructure. Early detection of connectivity issues will help you resolve problems before they impact the validation process. Consider implementing automated health checks that simulate the multi-perspective validation process.
Plan for Increased Validation Times: Factor additional time into your certificate renewal processes to account for the multi-perspective validation checks. Update your internal procedures and any automated certificate management tools to accommodate potential delays without causing service disruptions.
Why is MPIC Implementation Necessary?
MPIC addresses critical security vulnerabilities that attackers have exploited to obtain unauthorized certificates. Attackers have successfully manipulated DNS responses or BGP routes in localized regions, effectively deceiving Certificate Authorities into issuing certificates for domains they don’t control. By requiring validation from multiple network perspectives, MPIC makes these localized attacks significantly more difficult to execute, as an attacker would need to compromise multiple, geographically distributed network locations simultaneously.
Beyond mitigating DNS and BGP attacks, MPIC represents a broader commitment to strengthening public trust in the certificate ecosystem. When CAs adopt multi-perspective issuance corroboration, they demonstrate adherence to higher security standards that protect both website owners and end users, thereby reinforcing trust in digital certificates.
Need to find more information or still have questions about MPIC?
For additional information, please get in touch with our support team.
