Certificate Authorities (CA) are required to complete Multi-Perspective Issuance Corroboration (MPIC) during the domain validation process for SSL and S/MIME certificates. MPIC uses two or more remote global networks to verify domain validation resources, including DNS (TXT and CNAME), CAA records, and HTTP/HTTPS authentication file data.

All remote perspectives must be able to access your domain validation data. Additionally, each perspective must find the exact same results to corroborate the values and verify everything is legitimate. 

If any MPIC agent can't access your validation records, or there are any conflicting results, MPIC will fail, and the certificate cannot be issued. 

Sectigo identifies a few practices that can cause MPIC checks to fail:

  • Geo-restricted access to HTTP endpoints
  • Firewalls restricting traffic from specific regions or IP addresses
  • Static firewall rules allowing only known IP addresses
  • Blocked/filtered User-Agent headers
  • DNS responses containing mismatched data in different query locations
  • DNS/file resources are too short-lived or deleted too quickly before validation is done

Sectigo does not provide IP addresses or User-Agents to whitelist for MPIC. Instead, the CA recommends not restricting your server by geographic location or maintaining an IP address allow list. You should make sure that your domain validation resources are globally accessible and consistent. 

For more information on MPIC enforcement timelines and impacts, check the Sectigo MPIC FAQ.