The End of WHOIS for SSL Certificate Validation
Amanda DavisShare
Before a Certificate Authority (CA) issues an SSL Certificate, it must confirm that the applicant controls the domain through Domain Control Validation (DCV). For many years, WHOIS records were a cornerstone of that check, supplying the contact details used to confirm ownership.
That era has ended. WHOIS is no longer used for SSL Certificate validation, and this article explains what changed, when, and which methods replace it. Learn About SSL Certificate Validation 🔗
The Old Role of WHOIS
WHOIS is a query protocol for the databases that record who holds an Internet resource, such as a domain name. During validation, the Certificate Authority (CA) would look up the domain contact in WHOIS and send a confirmation message to the listed registrant address.
This made accurate WHOIS data important at the time, since outdated contact details could delay or block issuance. That dependence is exactly what the industry moved away from.
What Changed and When
Under industry rule change Ballot SC-80v3, the use of WHOIS to identify domain contacts was retired, along with the validation methods that relied on it. Two dates applied to every SSL Certificate customer.
On January 15, 2025, Certificate Authorities stopped using contact details from web-based WHOIS lookups. By July 15, 2025, they stopped relying on WHOIS-based validation altogether, including lookups made over the WHOIS protocol itself.
Existing WHOIS-based validations also fell away. From July 2025 they could no longer be reused, even if they sat within the old 397 day reuse window.
The Methods That Replace It
Three Domain Control Validation (DCV) methods now prove control of a domain, and Trustico® supports all of them. Each works without any reliance on WHOIS.
Approver e-mail sends a message to one of five fixed addresses at the domain, namely admin, administrator, webmaster, hostmaster, or postmaster, each followed by the domain name. Replying as instructed completes the check, often within minutes for a Domain Validation (DV) SSL Certificate. Discover Domain Validation (DV) Information 🔗
The CNAME method proves control through a Domain Name System (DNS) record instead of a mailbox. After ordering, you can switch the preference to CNAME in the SSL Certificate Tracking and Management Tool and add the record supplied. View the SSL Certificate Tracking and Management Tool 🔗
File-based validation places a file holding a supplied random value at a fixed path on the web server, under /.well-known/pki-validation/, reachable over HTTP. The Certificate Authority (CA) reads it to confirm control. Learn About File-Based Authentication 🔗
Working in the Post-WHOIS Environment
For most domain owners, Approver e-mail remains the simplest route when one of the five role addresses is reachable. Where e-mail is not convenient, the CNAME method gives a reliable alternative that depends only on Domain Name System (DNS) access.
For larger estates, automated issuance through the ACME protocol handles validation without manual steps each time. Discover ACME Automated Issuance 🔗
Managing many domains is lighter still through Trustico® Certificate as a Service (CaaS), which automates validation across a portfolio. Explore Certificate as a Service (CaaS) 🔗
