Internal Server Names Will No Longer Be Issued as of October 26, 2015
The Certificate Authority and Browser Forum (CA/B) has established:
“As of the Effective Date of these Requirements, prior to the issuance of a Certificate with a Subject Alternative Name (SAN) extension or Subject Common Name field containing a Reserved IP Address or Internal Server Name, the CA shall notify the Applicant that the use of such Certificates has been deprecated by the CA / Browser Forum and that the practice will be eliminated by October 2016. Also as of the Effective Date, the CA shall not issue a certificate with an Expiry Date later than 1 November 2015 with a SAN or Subject Common Name field containing a Reserved IP Address or Internal Server Name. As from 1 October 2016, CAs shall revoke all unexpired Certificates.”
Full documentation on the revocation of internal Server Names can be found here:
https://cabforum.org/wp-content/uploads/Guidance-Deprecated-Internal-Names.pdf
What is an Internal Name?
An internal name is a domain or IP address that is part of a private network. Common examples of internal names are:
- Any server name with a non-public domain name suffix. (mydomain.local, mydomain.internal)
- NetBIOS names or short hostnames, anything without a public domain.
- Any IPv4 address in the RFC 1918 range. (I.E. 10.0.0.0, 172.16.0.0, 192.168.0.0)
- Any IPv6 address in the RFC 4193 range.
How Is GlobalSign Handling This Transition?
GlobalSign will be attempting to ease the transition by implementing measures to ensure that the transition is smooth.
| Summer 2012 | Certificates with internal names will expire no later than November 01, 2015. |
| October 26, 2015 | Disable issuance and re-issuance of certificates with internal server names. |
| Summer 2016 | Notify all customers with active certificates with internal server names that their certificates will be revoked in September. |
| September 2016 | Revoke all active certificates with internal server names or reserved IP addresses. |
What Does This Mean for You?
Server administrators have a couple of options:
Migrate to registered domain names which is a good long term option; however this can require a lot of work to update all systems and infrastructure, and there might be security reasons for not using publicly registered domain names.
Use IntranetSSL which supports the issuance of SSL Certificates with Internal Server Names and Reserved IP addresses in the CN and SAN values; furthermore, mix and match internal, FQDNs, sub-domains, wildcard, and Global IP addresses in one certificate using a single certificate under a non-public GlobalSign root.