Multi-Perspective Issuance Corroboration (MPIC) is a security mechanism that requires Certificate Authorities (CA) to verify Domain Control Validation (DCV) and Certification Authority Authorization (CAA) checks from multiple independent network locations around the world before issuing an SSL Certificate.
The CA/Browser Forum introduced Multi-Perspective Issuance Corroboration (MPIC) to defend against routing-based attacks during SSL Certificate issuance. Sectigo, the Certificate Authority (CA) partner that Trustico® works with to provide SSL Certificates, has enforced Multi-Perspective Issuance Corroboration (MPIC) since September 13, 2025.
For the majority of Trustico® customers, Multi-Perspective Issuance Corroboration (MPIC) operates entirely in the background and requires no changes to existing infrastructure. However, organizations that restrict access to their Domain Name System (DNS) servers or web servers by region, IP address, or other criteria may experience SSL Certificate issuance failures unless those restrictions accommodate validation traffic from a global range of network perspectives.
Understanding Multi-Perspective Issuance Corroboration (MPIC)
Multi-Perspective Issuance Corroboration (MPIC) is the formal name for a validation enhancement that the CA/Browser Forum introduced through Ballot SC-067. The mechanism requires that every Domain Control Validation (DCV) and Certification Authority Authorization (CAA) check performed during SSL Certificate issuance be corroborated by at least two additional remote network perspectives, in addition to the primary perspective used by the Certificate Authority (CA).
The intent is straightforward. A Certificate Authority (CA) that only validates a domain from a single network location can, in principle, be deceived by an attacker who manipulates Internet routing to redirect validation traffic.
By requiring the same validation result from multiple independent locations, Multi-Perspective Issuance Corroboration (MPIC) makes such attacks substantially harder to execute. An attacker would need to simultaneously hijack traffic to every validation perspective rather than only one. View the CA/Browser Forum Ballot SC-067 Specification 🔗
Background and Purpose
The motivation for Multi-Perspective Issuance Corroboration (MPIC) comes from academic and industry research into Border Gateway Protocol (BGP) hijacking attacks against the SSL Certificate issuance process. Border Gateway Protocol (BGP) is the routing protocol that determines how traffic flows between networks on the Internet, and a successful hijack allows an attacker to temporarily redirect traffic destined for a particular IP address to a network they control.
Researchers demonstrated that an attacker capable of executing a Border Gateway Protocol (BGP) hijack against a Certificate Authority (CA) could trick the Certificate Authority (CA) into validating domain control for a domain the attacker does not legitimately own. This would in turn allow the attacker to obtain a valid SSL Certificate for that domain and use it to impersonate the legitimate website.
Multi-Perspective Issuance Corroboration (MPIC) directly addresses this risk by ensuring that any attacker would need to compromise multiple geographically dispersed network paths simultaneously to deceive the Certificate Authority (CA).
Validation Methods Affected By Multi-Perspective Issuance Corroboration (MPIC)
Multi-Perspective Issuance Corroboration (MPIC) applies to all Domain Control Validation (DCV) methods used during the issuance of publicly trusted SSL Certificates.
Certification Authority Authorization (CAA) lookups are also covered by Multi-Perspective Issuance Corroboration (MPIC) because Certification Authority Authorization (CAA) records are the mechanism by which a domain owner restricts which Certificate Authorities (CA) may issue SSL Certificates for the domain. A successful Border Gateway Protocol (BGP) hijack against a Certification Authority Authorization (CAA) lookup would allow an attacker to bypass these restrictions, so the same multi-perspective requirement applies. Learn About Certification Authority Authorization (CAA) Records 🔗
S/MIME E-Mail Certificates follow the same Multi-Perspective Issuance Corroboration (MPIC) requirements as SSL Certificates, with reporting-mode enforcement having commenced in May 2025 ahead of broader S/MIME Certification Authority Authorization (CAA) enforcement requirements.
Operation of Multi-Perspective Issuance Corroboration (MPIC) Validation
During the issuance of an SSL Certificate, Sectigo first performs Domain Control Validation (DCV) and Certification Authority Authorization (CAA) checks from its primary validation infrastructure. Once the primary checks succeed, the same checks are repeated from at least two additional remote network perspectives located in different regions of the world.
For the SSL Certificate to be issued, the results from the remote perspectives must corroborate the primary result. If the primary Certification Authority Authorization (CAA) lookup returned an authorization for Sectigo, the remote lookups must return the same. If the primary Domain Control Validation (DCV) check confirmed control of the domain via a Domain Name System (DNS) TXT record, the remote checks must locate the same record.
Any meaningful divergence between perspectives results in the SSL Certificate issuance failing, and the customer must then identify and resolve the cause before issuance can proceed.
Enforcement Timeline and Historical Context
The CA/Browser Forum approved Ballot SC-067 in August 2024 with a phased rollout designed to give Certificate Authorities (CA) and customers time to prepare. Sectigo entered a reporting-only phase on February 18, 2025, during which Multi-Perspective Issuance Corroboration (MPIC) checks were performed but did not block issuance, allowing customers to identify infrastructure problems without consequence to their SSL Certificate orders.
In late August and early September 2025, Sectigo conducted two corroboration testing windows during which Multi-Perspective Issuance Corroboration (MPIC) enforcement was temporarily simulated. SSL Certificates continued to be issued during these windows even where multi-perspective checks failed, but customers received signals that their infrastructure required attention.
Full enforcement began on September 13, 2025, two days ahead of the CA/Browser Forum industry deadline of September 15, 2025. Since that date, SSL Certificates cannot be issued unless Multi-Perspective Issuance Corroboration (MPIC) checks successfully corroborate the primary Domain Control Validation (DCV) and Certification Authority Authorization (CAA) results.
Infrastructure Requirements for Successful Validation
The single most important requirement for successful Multi-Perspective Issuance Corroboration (MPIC) validation is that your authoritative Domain Name System (DNS) servers and any web servers hosting Domain Control Validation (DCV) resources must be reachable from a global range of IP addresses.
Sectigo does not publish a fixed list of validation source addresses, and customers should not attempt to whitelist specific IP ranges for the Certificate Authority (CA). The validation perspectives may change over time and across regions.
Domain Name System (DNS) queries on port 53, both User Datagram Protocol (UDP) and Transmission Control Protocol (TCP), must be permitted from any source globally.
Where Domain Control Validation (DCV) uses HyperText Transfer Protocol (HTTP) file-based methods, the validation files must be accessible to HyperText Transfer Protocol (HTTP) requests from any source globally, and the web server must not filter requests based on geographic origin or User-Agent header content. Learn About Split-Horizon Domain Name System (DNS) Validation Issues 🔗
Common Configurations That Cause Validation Failures
Several infrastructure patterns commonly prevent successful Multi-Perspective Issuance Corroboration (MPIC) validation even when primary validation succeeds. Geographic restrictions on HyperText Transfer Protocol (HTTP) endpoints are the most frequent cause, where a web server allows access only from a specific country or region and consequently refuses requests originating from validation perspectives in other parts of the world.
Firewall rules that permit only known Sectigo IP addresses are equally problematic. These configurations may have worked under single-perspective validation but actively block the additional perspectives required by Multi-Perspective Issuance Corroboration (MPIC). User-Agent header filtering, where the web server rejects requests that do not present a recognized browser identifier, similarly prevents validation perspectives from completing their checks.
Geographically inconsistent Domain Name System (DNS) responses, often the result of split-horizon or geographically aware Domain Name System (DNS) configurations, can cause different validation perspectives to receive different answers for the same query. Where these answers diverge in material ways, the validation fails.
Short-lived Domain Control Validation (DCV) records that are removed before all perspectives have completed their queries are another common cause of failure, particularly for SSL Certificates with multiple Subject Alternative Names (SAN) where validation may take longer to complete across the full set of domains.
Best Practices for Multi-Perspective Issuance Corroboration (MPIC) Compliance
The fundamental practice for ensuring successful Multi-Perspective Issuance Corroboration (MPIC) validation is to keep all Domain Control Validation (DCV) resources in place until the SSL Certificate has been fully issued. This applies to HyperText Transfer Protocol (HTTP) validation files, Domain Name System (DNS) TXT records, and Domain Name System (DNS) CNAME records. Removing these resources too early is one of the most common preventable causes of validation failure.
Customers should also ensure that any geographic restrictions, firewall rules, or filtering logic applied to validation endpoints permit global access. This does not mean removing security controls from production services more broadly, but rather ensuring that the specific paths used for Domain Control Validation (DCV) are reachable from any network location. Learn About Trustico® SSL Certificate Validation Procedures 🔗
For customers who require ongoing SSL Certificate issuance through automated processes, the Automatic Certificate Management Environment (ACME) protocol handles the timing of Domain Control Validation (DCV) resource placement and removal automatically. This significantly reduces the risk of resources being removed before all Multi-Perspective Issuance Corroboration (MPIC) perspectives have completed their checks. Discover Our Automatic Certificate Management Environment (ACME) Information 🔗
Important : Multi-Perspective Issuance Corroboration (MPIC) is a Certificate Authority (CA) requirement enforced at issuance time, and Trustico® is unable to bypass or override the validation result. If your SSL Certificate issuance fails Multi-Perspective Issuance Corroboration (MPIC) checks, the necessary remediation is to your own infrastructure and not something that can be resolved at the Certificate Authority (CA).
Subject Alternative Names (SAN) and Multi-Perspective Issuance Corroboration (MPIC)
SSL Certificates that secure multiple domains through Subject Alternative Name (SAN) entries are subject to Multi-Perspective Issuance Corroboration (MPIC) validation for every domain listed in the SSL Certificate request. Each Subject Alternative Name (SAN) is independently validated, and each validation generates queries from multiple perspectives.
This means a SSL Certificate request that covers five Subject Alternative Names (SAN) may generate many separate Domain Control Validation (DCV) and Certification Authority Authorization (CAA) checks from multiple worldwide locations during a single issuance event. Customers should be prepared for the additional traffic this generates and should ensure that Domain Control Validation (DCV) resources for every Subject Alternative Name (SAN) remain in place until the entire SSL Certificate has been issued.
Impact on SSL Certificate Reissue
Multi-Perspective Issuance Corroboration (MPIC) applies to any SSL Certificate issuance event, including reissue operations performed within the lifetime of an existing Trustico® Certificate as a Service (CaaS) license. Where a reissue requires new Domain Control Validation (DCV) or Certification Authority Authorization (CAA) checks, those checks are subject to the same multi-perspective requirements as the original SSL Certificate.
SSL Certificates issued before September 13, 2025 are not retroactively affected by Multi-Perspective Issuance Corroboration (MPIC) and remain valid through their original validity periods. However, when those SSL Certificates are next reissued or replaced through the Trustico® Certificate as a Service (CaaS) model, the reissue will require successful Multi-Perspective Issuance Corroboration (MPIC) validation.
Private Public Key Infrastructure (PKI) and Multi-Perspective Issuance Corroboration (MPIC)
Multi-Perspective Issuance Corroboration (MPIC) is a requirement that applies exclusively to publicly trusted SSL Certificates and S/MIME Certificates issued by Certificate Authorities (CA) that participate in public trust programs.
Privately issued SSL Certificates and SSL Certificates issued by internal Public Key Infrastructure (PKI) systems are not subject to Multi-Perspective Issuance Corroboration (MPIC), because they do not chain to publicly trusted root Certificate Authorities (CA) and the security risks Multi-Perspective Issuance Corroboration (MPIC) addresses do not apply in the same way.
Organizations operating internal Public Key Infrastructure (PKI) for the issuance of SSL Certificates within their own networks may continue to use single-perspective validation or any other validation mechanism appropriate to their environment. The Trustico® product range covers publicly trusted SSL Certificates only, all of which are subject to Multi-Perspective Issuance Corroboration (MPIC). Learn About Sectigo SSL Certificate Information 🔗
Removing Domain Control Validation (DCV) Resources Safely
The safest practice is to leave Domain Control Validation (DCV) resources in place until the SSL Certificate has been issued and you have received the completed SSL Certificate. Removing resources during the validation window can cause Multi-Perspective Issuance Corroboration (MPIC) corroboration to fail, particularly where additional perspectives query the resource shortly after the primary check has completed.
Once the SSL Certificate is in your hands and installed on the destination server, Domain Control Validation (DCV) resources may be safely removed unless your SSL Certificate provider requires them to remain for ongoing validation purposes. Trustico® does not require Domain Control Validation (DCV) resources to remain in place after SSL Certificate issuance.
