SSL Certificates

Global changes in legislation regarding SAN SSL Certificates

All Certificate Authorities (CAs) that are connected to the overall CA/Browser Forum have accepted worldwide renewed and improved guidelines for the issuance of a SAN SSL Certificate. Domain validated certificates may therefore no longer be issued on an invalid Fully-Qualified Domain Name (eg .local).

The reason that is given for the change is that the internal server names are not unique and therefore easy to falsify. With common names like server01 or webmail, the end user is never sure if it is actually dealing with the right party or with a malicious.

The changing legislation for SSL Certificates shall start on 1 November 2015. This means, from that date, the invalid Fully-Qualified Domain Names (hereafter called FQDN) will no longer be accepted at the standard of the CA/Browser Forum and after that date such certificates may no longer be issued. All certificates issued after 1 November 2015 and meet this qualification will be revoked upon discovery.

Users who are requesting a certificate on an invalid FQDN with an expiration date after 1 November 2015 should remember that their certificates will be revoked after 1 November 2015. After this date, no SAN SSL Certificate with a reserved IP address or internal server name will be issued either.

Microsoft Exchange

Many people use a SAN SSL Certificate for Microsoft Exchange 2007 or 2010. It is recommended that these certificates will be modified from an internal server name to an external server name as soon as possible. A manual how to modify this on Exchange 2007 can be found here: https://www.networking4all.com/en/support/ssl+certificates/manuals/microsoft/exchange+2007/modify+.local/
The Exchange 2010 manual can be found here: https://www.networking4all.com/en/support/ssl+certificates/manuals/microsoft/exchange+2010/modify+.local/

Alternatives

A possible alternative for this change is by using an additional external name. This can be a sub domain of your main domain (eg server01.cabforum.com) or by using a .net domain name (.net = network) like server01.cabforum.net.

Until now, the amended legislation applies only for domain validated (DV) SAN certificates. Certificates for which the organization has been validated (OV) do not have to deal with this change. Upgrading your DV certificate to an OV certificate is another alternative.

Certificate on test servers

This change applies to everyone who uses an invalid Fully-Qualified Domain Name, so even if its use is not necessary for safety. For example, in the case of using it on test servers.

More information

For more information about the changing legislation we would like to refer to the comprehensive PDF document of the CA/Browser Forum: http://www.cabforum.org/Baseline_Requirements_V1.pdf

Download this white paper

This white paper is downloadable to inform your customers.

Description File format Size
Change legislation SAN SSL Certificates 90 KB