MPIC FAQ

To comply with new CA/B Forum requirements, Sectigo is introducing Multi-Perspective Issuance Corroboration (MPIC) for Domain Control Validation (DCV) and Certificate Authority Authorization (CAA) checks. This process mitigates security risks by verifying traditional Domain Control Validation (DCV) and Certificate Authority Authorization (CAA) results from multiple remote network perspectives across different regions.

What’s new?

To comply with new CA/B Forum requirements (Ballot SC-067), Sectigo is implementing Multi-Perspective Issuance Corroboration (MPIC)—a security enhancement for TLS certificate issuance. This new validation process ensures that traditional Domain Control Validation (DCV) and Certificate Authority Authorization (CAA) checks are verified from multiple independent network perspectives.

As of May 2025, MPIC entered a reporting phase for S/MIME certificate issuance as well.

Who is affected?

Customers requesting publicly trusted TLS certificates that require DCV and CAA validation. This includes organizations using ACME-based automation, HTTP, DNS, or email-based DCV methods. S/MIME certificates follow the same requirements.

Why is this change happening?

Recent research has identified security risks, such as BGP hijacking, that could allow an attacker to manipulate DCV and CAA results. MPIC mitigates this risk by confirming validation results from multiple locations worldwide, strengthening the integrity of certificate issuance.

What do I need to do?

From February 18, 2025, MPIC has been running in reporting-only mode to help organizations monitor readiness.

To ensure a smooth transition ahead of the CA/B Forum’s enforcement deadline, Sectigo will begin MPIC enforcement on September 13, 2025, slightly earlier than the originally communicated September 15 date.

Most customers will not need to make changes. Just ensure your systems allow validation requests from multiple locations before enforcement begins.

Q&A

What is Multi-Perspective Issuance Corroboration (MPIC)?

MPIC enhances the security of certificate issuance by verifying Domain Control Validation (DCV) and Certificate Authority Authorization (CAA) checks from multiple global network locations. This prevents potential risks, such as BGP hijacking, from compromising domain control validation certificate authority authorization.

Which certificates and DCV methods are affected?

Publicly-trusted TLS certificates requests that use the following DCV methods.

MPIC applies to the following DCV methods:

DNS CNAME-based DCV
HTTP-based DCV
DNS TXT-based DCV
IP Address-based DCV
DNS TXT Email-based DCV
ACME “http-01”
ACME “dns-01”
S/MIME certificates follow the same requirements.

What are the enforcement timelines?

February 18, 2025 – MPIC begins in a reporting-only mode, allowing customers to identify and address potential infrastructure issues ahead of enforcement. Certificate issuance will not be affected during this phase.
September 13, 2025 – Sectigo will begin full enforcement of MPIC checks two days ahead of the CA/B Forum’s September 15 deadline. Certificates will not be issued if multi-perspective checks fail to corroborate the primary DCV or CAA validation.

Note: A previous communication referenced September 15 as the enforcement date. Sectigo is implementing the enforcement slightly earlier to ensure a smoother transition and mitigate potential last-minute risks.

Why is this change happening in two phases?

The reporting phase provides time to identify and resolve potential issues before MPIC enforcement begins. This ensures a smooth transition and prevents unexpected disruptions.

How does MPIC validation work?

Starting in February 2025, DCV and CAA checks will be performed from multiple independent network locations. Initially, at least two remote perspectives will be used.

Will MPIC affect private CA or private TLS certificates?

No. MPIC is a public CA requirement and only applies to publicly trusted TLS and S/MIME certificates. Private certificates or those issued by internal PKI systems are not affected.

Will my existing certificates be affected?

No. Certificates issued before the given enforcement timelines will remain valid until they expire or are revoked.

Will MPIC impact certificate reissuance and renewals?

No changes to reissuance or renewal rules. However, when DCV and CAA checks must be redone, MPIC will apply.

What are common issues that could affect multi-perspective validation?

Here are a few known scenarios that might cause a certificate order to fail MPIC checks, even if primary validation passes:

Geo-restricted access to HTTP endpoints
Firewalls restrict traffic from specific regions or Ips
Static firewall rules that only allow known Sectigo validation IPs 
Blocked or filtered User-Agent header
DNS responses differ based on the querying location
Short-lived DCV-related DNS records or HTTP files that are deleted too quickly

These configurations may prevent successful corroboration from various global perspectives. If you fall into one of these categories, your infrastructure needs to be updated before MPIC enforcement on September 13, 2025 to allow smooth certificate issuance

When is it safe to remove DNS or HTTP-based validation records?

To avoid validation failures, we recommend keeping your DCV resources in place until the certificate is issued.

This includes:

HTTP files for file-based validation
DNS records (e.g., for CNAME or DNS TXT DCV methods)

With MPIC, the same validation resource will be checked from multiple global perspectives, not just once from a central location. Removing records too early may result in failed corroboration.

Do SANs (Subject Alternative Names) impact MPIC validation?

Yes. If you’re requesting a certificate with multiple SANs (Subject Alternative Names), each domain listed will be independently validated through multi-perspective checks.

This means you could see multiple DCV and CAA validation requests per domain, coming from different locations around the world. These additional checks are expected and part of the new industry standard.

To ensure smooth issuance:

Avoid blocking or filtering based on IP, region, or User-Agent headers
Maintain DCV resources for all SAN domains until the certificate is fully issued

Are there any best practices to follow to ensure MPIC validation succeeds?

Yes. While most customers won’t need to change anything, a few infrastructure configurations can unintentionally block MPIC checks. To avoid surprises during the test windows or when MPIC becomes mandatory on September 13, we recommend the following:

Do this:

Keep your DCV files (e.g., HTTP or DNS records) in place until your certificate has been successfully issued
Allow global access to the domain validation resources (e.g., HTTP files and DNS records)

Avoid this:

Don’t whitelist IP addresses or restrict HTTP User-Agent headers for certificate validation endpoints
Don’t restrict HTTP access by geographic region — MPIC tests from multiple global perspectives
Don’t remove DNS records or HTTP files too early — especially if using SANs (Subject Alternative Names) that each require validation

These tips will help ensure your certificate requests pass both primary and multi-perspective validation checks smoothly.

What is the purpose of the MPIC “corroboration testing” period in late August and early September?

To help ensure a smooth transition ahead of the upcoming enforcement deadline on September 15, 2025, Sectigo is conducting two early testing windows to help you verify that your systems are ready for multi-perspective validation checks.

August 28, 2025 (1 hour, starting at 7 AM ET)
September 3, 2025 (8 hours, starting at 6 AM ET)

During these windows, Sectigo will temporarily simulate MPIC enforcement mode. If your multi-perspective validation checks fail during this time, your certificates will still be issued — as long as primary validation succeeds and testing has concluded.

These tests are designed to be low-risk and most users won’t notice any changes. But if any issues do occur, this is your opportunity to fix them before enforcement begins.

Reminder: The CA/B Forum requires MPIC enforcement by September 15, 2025. However, Sectigo will begin enforcing MPIC on September 13, 2025, to provide a small buffer and ensure a compliant transition ahead of the industry deadline.

Will most customers be impacted during the testing period?

No. The vast majority of customers will experience no changes and certificate issuance will proceed as usual. While the certificate will be issued later without any effort on your part, you will be able to resolve any infrastructure improvements if multi-perspective tests fail during this period. The corroboration mode testing is designed to surface edge-case issues in a controlled way, without blocking issuance.

You may be more likely to see issues if your environment includes:

Geo-restricted access to HTTP endpoints
Blocked or filtered User-Agent headers
Static firewall rules that only allow known Sectigo validation IPs
Short-lived DCV-related DNS records or HTTP DCV records that are deleted too quickly

These configurations may prevent successful corroboration from various global perspectives. If you fall into one of these categories, we recommend reviewing the readiness tips provided above.

What should I do if a certificate fails during the testing window?

If your certificate fails MPIC validation on August 28 or September 3, don’t worry — your certificate will still be issued as long as traditional validation succeeds.

However, treat this as an early signal to review your environment and make any necessary adjustments before enforcement begins on September 13 and mandatory on September 15, 2025.

We recommend you:

Review firewall or web server restrictions
Keep DCV-related HTTP/DNS records in place until validation completes
Avoid geo-blocking or filtering that limits validation from global locations