In March 2025, Google introduced a significant new requirement for Certificate Authorities (CAs) called Multi-Perspective Issuance Corroboration, or MPIC. If you manage SSL certificates, DNS infrastructure, or certificate monitoring, this change matters so we’ve put together this overview for TrackSSL customers.
MPIC is part of Google’s evolving Chrome Root Program and aims to protect the internet’s trust model from increasingly sophisticated attacks. In this post, we’ll break down what MPIC is, why it was introduced, and what it means for you as someone responsible for monitoring or managing certificates.
What is MPIC?
MPIC stands for Multi-Perspective Issuance Corroboration. It’s a new verification requirement that ensures domain control checks are not just done from a single vantage point on the internet, but instead from multiple, globally distributed perspectives.
This matters because of a well-documented vulnerability: BGP hijacking. When CAs perform domain validation from only one location, an attacker could reroute internet traffic in that region (via Border Gateway Protocol manipulation), making it appear as if they control a domain they don’t. The CA would unknowingly issue a valid certificate, and now an attacker has a green lock in the browser.
With MPIC, the likelihood of that attack vector decreases.
Why is Google Requiring MPIC?
As an industry leader, Google has been helping to tighten up TLS infrastructure for years: reducing certificate lifespans, encouraging automation, and now demanding better validation integrity. MPIC is the next logical step in that evolution.
Google’s Chrome Root Program will now require that all domain validation used for certificate issuance be corroborated from multiple independent vantage points. This significantly reduces the risk of routing-based attacks influencing certificate issuance.
It’s also not just theoretical. Research from Princeton’s Center for Information Technology Policy, which launched the Open MPIC Project, has shown that BGP-based validation attacks are not just possible, but happening in the wild.
What Does MPIC Mean for You?
If you’re responsible for SSL certificates, whether on public websites, internal apps, or across large infrastructure, here’s what MPIC means for your day-to-day:
You Need Globally Consistent DNS
MPIC requires that DNS validation challenges be visible and resolvable from multiple global locations. If your DNS setup is slow to propagate or has inconsistent answers across regions, you may start seeing failed certificate issuance attempts.
- Make sure your DNS provider is globally distributed
- Keep TTLs low (e.g. 300 seconds) for ACME challenges
- Monitor validation failures closely
Automation Matters More Than Ever
Certificate lifespans are shortening with 90 day becoming the standard and 6 day cert standards on the horizon. MPIC adds another layer — your automation now needs to work reliably across the globe.
- Tools like Let’s Encrypt, Certbot, and Step CA are MPIC-ready
- Internal tools may need updates if they only validate from a single point
Monitoring Issuance Failures
TrackSSL users should keep an eye on cert issuance failures, especially if you’re seeing unusual delays or errors during renewal. These could be early indicators that your DNS or validation infrastructure is not MPIC-compatible.
The Bigger Picture: A More Secure Web
MPIC is part of a larger trend: building a more resilient and automated web PKI. When combined with
- 90-day certificates (or 6-day certs!)
- Increased adoption of ACME
- Projects like Princeton’s Open MPIC initiative
it’s clear the web is moving toward more automation, tighter validation, and higher assurance.
At TrackSSL, we’re watching these trends closely. Our goal is to make sure you’re not just notified when a certificate is about to expire, but also when the entire ecosystem shifts underneath it.
Final Thoughts
MPIC might sound like just another security acronym, but it’s a powerful tool against a subtle and dangerous class of attacks. As Google and other browsers begin enforcing this requirement, staying informed and monitored is more critical than ever.
TrackSSL helps you monitor all your SSL certificates in one place, with instant alerts, expiration tracking, and visibility into changes or failures. Whether you’re managing a handful of public certs or hundreds across internal environments, TrackSSL makes it easy to stay on top of it all. Sign up today to try it for free.