MPIC FAQ
To comply with new CA/B Forum requirements, Sectigo is introducing Multi-Perspective Issuance Corroboration (MPIC) for Domain Control Validation (DCV) and Certificate Authority Authorization (CAA) checks. This process mitigates security risks by verifying traditional Domain Control Validation (DCV) and Certificate Authority Authorization (CAA) results from multiple remote network perspectives across different regions.
What’s new?
To comply with new CA/B Forum requirements (Ballot SC-067), Sectigo is implementing Multi-Perspective Issuance Corroboration (MPIC)—a security enhancement for TLS certificate issuance. This new validation process ensures that traditional Domain Control Validation (DCV) and Certificate Authority Authorization (CAA) checks are verified from multiple independent network perspectives.
As of May 2025, MPIC is expected to enter a reporting phase for S/MIME certificate issuance as well. Exact date will be advised beforehand.
Who is affected?
Customers requesting publicly trusted TLS certificates that require DCV and CAA validation. This includes organizations using ACME-based automation, HTTP, DNS, or email-based DCV methods. S/MIME certificates are expected to follow the same requirements in the near future.
Why is this change happening?
Recent research has identified security risks, such as BGP hijacking, that could allow an attacker to manipulate DCV and CAA results. MPIC mitigates this risk by confirming validation results from multiple locations worldwide, strengthening the integrity of certificate issuance.
What do I need to do?
From February 18, 2025, MPIC will operate in a reporting-only mode, providing visibility into validation results from multiple locations without impacting issuance.
By no later than September 15, 2025, MPIC enforcement will be in full effect, and certificates will not be issued if the remote validation checks fail to corroborate the primary validation results.
Customers should ensure that their systems allow validation checks from multiple network locations before the enforcement date.
Q&A
MPIC enhances the security of certificate issuance by verifying Domain Control Validation (DCV) and Certificate Authority Authorization (CAA) checks from multiple global network locations. This prevents potential risks, such as BGP hijacking, from compromising domain control validation certificate authority authorization.
Publicly-trusted TLS certificates requests that use the following DCV methods.
MPIC applies to the following DCV methods:
- DNS CNAME-based DCV
- HTTP-based DCV
- DNS TXT-based DCV
- IP Address-based DCV
- DNS TXT Email-based DCV
- ACME “http-01”
- ACME “dns-01”
- S/MIME certificates will follow the same requirements in the near future.
- February 18, 2025 – MPIC begins in a reporting-only mode, allowing to identify and fix potential issues before the results of multi-perspective validation start impacting issuance.
- September 15, 2025 – Certificates will not be issued if multi-perspective checks fail to confirm the primary DCV or CAA validation. Sectigo will enforce an earlier cut-off date and will provide updates accordingly.
Starting in February 2025, DCV and CAA checks will be performed from multiple independent network locations. Initially, at least two remote perspectives will be used, increasing to up to six perspectives as enforcement approaches.
After the enforcement date, at least five successful remote validation checks will be required to issue a certificate.
No. Certificates issued before February 18, 2025, will remain valid until they expire or are revoked.
No changes to reissuance or renewal rules. However, when DCV and CAA checks must be redone, MPIC will apply.
The reporting phase provides time to identify and resolve potential issues before MPIC enforcement begins. This ensures a smooth transition and prevents unexpected disruptions.