CSC Research Highlights: 40% of Enterprises Face Outage Risks Due to SSL Certificate Expiration Amid WHOIS Deprecation
New research from CSC, a global leader in domain security, SSL management, brand protection, and anti-fraud solutions, has revealed that as many as 40% of enterprises are at risk of service disruptions caused by outdated secure sockets layer (SSL) certificates. This alarming statistic stems from organizations’ continued reliance on WHOIS-based email addresses for domain control validation (DCV), a method that will officially be deprecated on July 15, 2025. The impending sunsetting of WHOIS-based DCV underscores the urgent need for businesses to adopt alternative validation methods to avoid costly and disruptive outages.
The Impending Deprecation of WHOIS-Based Validation
CSC’s analysis of over 100,000 global SSL certificate records highlights a troubling trend: many organizations still depend on WHOIS email for DCV, despite a 2024 vote by the CA/Browser Forum mandating its deprecation. The decision to phase out WHOIS-based validation was driven by the method’s inherent security vulnerabilities, including susceptibility to phishing attacks and unauthorized access. Beginning July 15, 2025, certificate authorities (CAs) will no longer accept WHOIS email as a valid DCV method, leaving companies that fail to adapt exposed to significant operational risks.
Compounding the issue, CSC’s research found that 17% of surveyed companies are unaware of their current DCV method. This lack of visibility points to a broader problem within IT and security teams: insufficient preparedness for upcoming industry changes. Without proactive measures, these organizations risk facing unexpected website outages, service interruptions, and reputational damage when WHOIS-based validation is no longer an option.
The Growing Complexity of SSL Certificate Management
Beyond the immediate threat posed by WHOIS deprecation, enterprises must also contend with sweeping changes to SSL certificate lifecycles and DCV re-use periods. Starting March 15, 2026, certificate lifespans will begin to shrink dramatically—from the current maximum of 367 days to just 200 days. By 2029, certificate validity periods will plummet to only 47 days. Similarly, DCV re-use periods will decrease from 367 days to 200, then 100, and finally just 10 days by 2028.
These changes mean that enterprises will soon face up to eight certificate renewals per year. With DCV revalidation required every time a certificate is issued, the manual workload for IT teams will skyrocket unless organizations embrace automation and modern validation methods. As Mark Flegg, CSC’s Senior Director of Technology, Security Products and Services, explains, “Organizations need to start preparing now. Any short-term fixes must align with the long-term trajectory where automation of certificates and DCV becomes unavoidable.”
Alternative Validation Methods: A Path Forward
To mitigate the risks associated with WHOIS deprecation and evolving certificate requirements, organizations should immediately audit their certificate management workflows and transition to accepted DCV alternatives. Two widely recommended methods are domain name system (DNS)-based validation and file-based web token validation. These approaches offer greater security and reliability compared to WHOIS email, ensuring smoother certificate renewals and reducing the likelihood of service disruptions.
DNS-based validation involves placing a unique cryptographic token in the DNS records of a domain, while file-based validation requires uploading a specific file to the web server hosting the domain. Both methods eliminate the vulnerabilities associated with WHOIS email and provide a more robust framework for maintaining SSL certificate compliance.
CSC’s Support for Enterprise Transitions
Recognizing the challenges posed by these industry-wide shifts, CSC has introduced innovative solutions to help enterprises navigate the transition. Among these is the company’s newly launched Domain Control Validation as a Service (DCVaaS), which is available free of charge to CSC clients. DCVaaS streamlines the validation process, reducing certificate renewal times by up to 99% and significantly easing the manual burden on IT teams.
By automating critical aspects of certificate management, DCVaaS enables organizations to stay ahead of regulatory changes and ensure uninterrupted operations. Additionally, CSC offers a comprehensive suite of digital certificate solutions tailored to meet the unique needs of any enterprise workflow. These tools empower businesses to maintain compliance, enhance security, and focus on strategic priorities rather than grappling with manual certificate processes.
A Call to Action for Enterprises
The findings from CSC’s research serve as a wake-up call for enterprises worldwide. With 40% of organizations at risk of service outages due to outdated SSL certificates and WHOIS-based validation set to expire in less than three years, the time to act is now. Companies must take immediate steps to assess their current certificate management practices, identify vulnerabilities, and implement modern validation methods.
Failure to address these issues could result in severe consequences, including website downtime, loss of customer trust, and potential regulatory penalties. As the industry moves toward shorter certificate lifecycles and stricter validation requirements, automation will become essential for maintaining operational efficiency and minimizing risks.
Preparing for the Future of SSL Management
The deprecation of WHOIS-based validation and the forthcoming changes to SSL certificate lifecycles underscore the importance of staying ahead of industry trends. Organizations that proactively adopt DNS-based or file-based validation methods, leverage automation tools like DCVaaS, and partner with trusted providers like CSC will be better positioned to thrive in this evolving landscape.
In an era where cybersecurity threats continue to escalate, SSL certificates remain a critical line of defense for protecting sensitive data and ensuring secure communications. By taking decisive action today, enterprises can safeguard their operations, enhance their security posture, and prepare for the future of digital trust. As Mark Flegg aptly notes, “The clock is ticking, and preparation is key. Organizations that delay risk falling behind—and potentially paying the price.”
About CSC
CSC is the trusted security and threat intelligence provider of choice for the Forbes Global 2000 and the 100 Best Global Brands (Interbrand®) with focus areas in domain security and management, along with digital brand and fraud protection. As global companies make significant investments in their security posture, our DomainSecSM platform can help them understand cybersecurity oversights that exist and help them secure their online digital assets and brands. By leveraging CSC’s proprietary technology, companies can solidify their security posture to protect against cyber threat vectors targeting their online assets and brand reputation, helping them avoid devastating revenue loss. CSC also provides online brand protection—the combination of online brand monitoring and enforcement activities—with a multidimensional view of various threats outside the firewall targeting specific domains. Fraud protection services that combat phishing in the early stages of attack round out our solutions. Headquartered in Wilmington, Delaware, USA, since 1899, CSC has offices throughout the United States, Canada, Europe, and the Asia-Pacific region. CSC is a global company capable of doing business wherever our clients are—and we accomplish that by employing experts in every business we serve.
