MPIC is a security protocol that requires certificate validation from multiple different locations on the internet before an SSL certificate can be issued.

Why is it needed?

Previously, validation was done from a single server or a limited number of servers (e.g., only from the US).

Now, Sectigo performs validation using servers distributed across the globe. This helps to:

• Protect against network-level attacks such as:
  • BGP hijacking - where traffic is intercepted and redirected.
  • DNS spoofing - where attackers provide fake DNS responses.
• Prevent attackers from fraudulently obtaining SSL certificates for domains they don't own.

When does this take effect?

• Sectigo introduced MPIC in June 2025.
• Full enforcement starts on September 15, 2025.

What issues might you face?

Even if standard validation passes, your SSL certificate order may fail MPIC validation if:

1. Your site is not accessible from certain countries (e.g., geo-restricted).
2. Your firewall blocks access from IPs outside a defined whitelist.
3. Your server blocks or filters the User-Agent header used by validation bots.
4. DNS responses differ depending on region (e.g., due to GeoDNS).
5. DCV records (DNS or HTTP validation files) are deleted too quickly, so remote servers can’t access them in time.

What should you do?

If you:

• Have IP or geo-based restrictions;
• Validation files or DNS records are being removed too quickly;
• Use a strict firewall setup;

It is necessary to update your infrastructure to ensure MPIC validation can succeed. More information can be checked here.