There is a quiet change happening underneath every TLS certificate your organization requests, and most teams have not noticed it yet. The way certificate authorities confirm that you actually control your own domain has changed. It is stricter now, it runs from several places on the internet at once, and starting in 2026 it runs a lot more often.
The reason it runs more often is simple. On March 15, 2026, the maximum lifespan of a public TLS certificate dropped to 200 days. Shorter certificates mean more renewals, and many renewals trigger a fresh domain validation. So, the new validation process, called Multi-Perspective Issuance Corroboration, or MPIC, is no longer a rare event you can ignore. It is something your domains will go through again and again, all year long. If your setup has a weak spot, you will hit it repeatedly.
This post explains what MPIC is, why it exists, what changed in your favor and what could create an issue, and how to make sure none of it ever causes you an outage.
The problem MPIC was built to solve
For years, a certificate authority confirmed domain control from a single vantage point. It would look up a DNS record you placed, or fetch a file you put on your server, and if the answer came back correct, it issued the certificate. That works fine until someone tampers with the path the request travels.
This is where Border Gateway Protocol (BGP) hijacking comes in. BGP is the routing system that decides how traffic moves across the internet, and it was not built with much security in mind. An attacker who can manipulate routing, or who can poison DNS responses, can quietly reroute a CA’s validation check through their own server. The CA sees a correct-looking answer and issues a certificate to the wrong party. From the CA’s side, nothing looks unusual. That is what makes the attack dangerous.
This is not just a theoretical worry. In 2018, a research team at Princeton demonstrated the attack in the real world. In a study they presented at the USENIX Security conference, titled Bamboozling Certificate Authorities with BGP, they used BGP hijacking to fool certificate authorities into validating domains they did not control, and they obtained genuine certificates for domains they did not own from several of the largest CAs of the day, including Let’s Encrypt, GoDaddy, Comodo, Symantec, and GlobalSign.
The attacks were carried out ethically, but they showed the weakness was usable in practice and not just on paper. That work led directly to multi-perspective validation. Let’s Encrypt, working with the same Princeton group, deployed an early version in 2020, and the industry later adopted the approach as MPIC.
How MPIC actually works
Instead of checking domain control from one place, the CA now checks from several independent network locations spread across different parts of the internet. Each location runs the same validation, whether that is a DNS lookup or an HTTP file fetch, and then the results get compared.
If every perspective agrees, validation passes and the certificate moves forward. If the perspectives disagree, say one location gets a different DNS answer or sees its request redirected, the CA treats that as a red flag and halts or flags the request. An attacker would now have to hijack routing for every vantage point at the same time, which is far harder than fooling a single check. The perspectives are deliberately placed far apart, so corroboration from genuinely distinct points on the network is what counts, not two machines sitting in the same data center.
This applies to both checks that matter at issuance: Domain Control Validation, which proves you control the domain, and Certificate Authority Authorization (CAA), the DNS record that says which CAs are allowed to issue for you, which now run from multiple perspectives.
The rules come from the CA/Browser Forum, specifically Ballot SC-067, and they apply to every publicly trusted CA. Full enforcement arrived in September 2025, when CAs began requiring corroboration from at least two separate perspectives. The bar keeps rising in phases. Through 2026, CAs are increasing the number of required perspectives and requiring them to span more than one regional internet registry, so the geographic spread of the checks widens over time.
What changes for you, and what does not
For most organizations, the good news is that MPIC happens on the CA’s side and needs no action from you. You request a certificate the way you always have, and the multi-perspective checking runs behind the scenes. If you control your domain and your DNS answers are consistent across the internet, you will not notice a thing.
The part that needs attention is narrower but real. MPIC means validation requests now arrive from multiple IP addresses in different locations, not from one predictable source. If your organization restricts access to its validation endpoints with IP allowlists or firewall rules, a check coming from an unexpected location can be blocked. When that happens, the perspectives disagree, and validation fails. Two configurations tend to cause this:
- Firewall and allowlist rules that only permit traffic from a narrow set of IPs will block the perspectives they do not recognize. You need to make sure every network endpoint involved in validation can be reached from the CA’s full range of vantage points.
- CAA records that are misconfigured, or that resolve inconsistently across different parts of the internet, will now surface as failures rather than passing quietly. Because CAA is checked from multiple perspectives too, an inconsistency that one location would have missed gets caught.
On their own, neither problem is hard to fix. The catch is timing. Under the old one-year certificates, you ran into a validation issue once a year and had plenty of time to sort it out. With 200-day certificates, and shorter ones coming, you face validation far more frequently, and a brittle setup that used to fail once now fails on a schedule. A misconfiguration that causes an outage every renewal is a much bigger problem than one you tripped over annually.
Why the two changes matter together
Put the two changes side by side and the takeaway is clear. Validation got stricter, which is good for everyone, and it got more frequent, which raises the cost of any weak spot in how you handle it. The organizations that sail through are the ones that know where all their certificates are, renew them automatically, keep their CAA records clean and consistent, and have made sure their validation endpoints are reachable from anywhere a CA might check. The ones that struggle are the ones still tracking certificates by hand, where each renewal is a small manual event and each manual event is a chance to get blocked.
The fix is not complicated, but it does need to be deliberate. Shorter certificates reward automation and punish improvisation, and MPIC is one more reason that the gap between the two is widening.
How Encryption Consulting can help
The way through MPIC and 200-day certificates is to stop treating renewals as occasional manual tasks and start running them as an automated, well-monitored process.
CertSecure Manager, our certificate lifecycle management solution, is built for exactly this environment. It discovers every certificate across your cloud, on-premises, and hybrid systems, so nothing gets caught by surprise, and it automates issuance and renewal end to end, which removes the manual steps where validation problems usually surface.
It keeps a real-time inventory with expiry and configuration details, monitors your CAA records for the kind of inconsistency MPIC will now catch, and alerts you well before anything reaches a critical state. When validation runs several times a year instead of once, that automation is the difference between a routine background process and a recurring fire drill.
For organizations that need help getting the underlying setup right, our PKI Services team can review and modernize your domain validation, CAA, and certificate issuance practices, including making sure your firewall and allowlist rules accommodate validation from multiple network perspectives, so MPIC checks never get blocked.
If you are not sure whether your current setup is ready for more frequent validation, or you want to move off manual certificate tracking before the next round of lifespan cuts, get in touch. We can help you find the weak spots before they turn into outages.
Conclusion
MPIC is one of those security improvements that works best when you never have to think about it. It closes a real gap that let attackers fool certificate authorities through routing and DNS tricks, and it does so without asking most organizations to change anything which is a good outcome.
The thing to watch is not MPIC itself but its timing. It arrived alongside a steep drop in certificate lifespans, and the two together mean domain validation now happens often enough that any fragile part of your process will show itself sooner rather than later. Clean CAA records, validation endpoints reachable from anywhere, and automated renewals are what keep that from becoming your problem.
Certificate lifespans are only going to keep shrinking. The teams that treat validation and renewal as something to automate now, rather than something to handle by hand each time, are the ones who will barely notice the next change when it comes.
