|Welcome Guest! Login|
Changes in internal domain names SAN certificates
All Certificate Authorities (CAs) connected to the coordinating CA/Browser Forum have agreed to global renewed and improved guidelines for the distribution of a SAN SSL certificate. With these guidelines, Domain Validated certificates can no longer be issued on an invalid Fully-Qualified Domain Name (such as .local).
The alterations are necessary, according to the CA/Browser Forum, because internal server names are not unique and are therefore can be easily forged with a so-called 'man-in-the-middle' attack. With frequently used server names such as server001 or .local, a user cannot know for sure whether they are actually connecting to the right party or to an interfering malicious party, because it is not possible to check the validity of the server names through, for instance, a WHOIS check.
The changed guidelines for SSL certificates will take effect on the 1st of November 2015. From that time onward, invalid Fully-Qualified Domain Names (or FQDN) will no longer be acceptable according to the standard set by the CA/Browser Forum and will therefore no longer be issued. All certificates that still meet this qualification after the 1st of October 2016 will be revoked.
Users of Microsoft Exchange servers in particular will experience the consequences of the abolishment of internal domain names, because making changes to domain names on these servers is very difficult. Therefore, SAN certificates with internal domain names will be available until the 1st of November 2015, as long as the certificate expires before that date.
Networking4all advises users of Microsoft Exchange servers to stop using internal domain names, and to replace internal domain names with external domain names when upgrading your server.
There is a work-around available to refer internal domains to external domains. There are manuals available for:
For more information on the upcoming changes in guidelines, please read this extensive PDF-document from the CA/Browser Forum.
Networking4all realises that you may require more time to implement the changes in your (Exchange) environment. If your certificate expires before the 1st of February 2015, you can no longer acquire a certificate with your current internal domain name.