Deprecation of Internal Server Names and Reserved IP Addresses

  Print
In compliance with the CA Browser Forum as of 31st October 2014 you will be unable to order an SSL certificate with an internal server name or reserved IP address (NAT classified IP addresses).

This includes both the certificate common name and the SAN field of an SSL certificate.

We recommend that customers transition away from ordering certificates which contain internal server names or reserved IP addresses.

Certificates that expire after 1st October 2016 and contain an Internal Server Name or Reserved IP will be revoked by the certificate authority (no refunds or replacements will be available).

More information about internal names from the CAB forum is available here: https://cabforum.org/internal-names/

Why are Internal Server Names being deprecated?

ICANN have made it possible for the registration of near infinite domain extensions. This means that what was once just an internal domain may now be an actual fully qualified domain. For example some companies may use exchange.corp for their internal exchange domain. However .corp is now a valid extension so someone could actually own exchange.corp therefore it would be wrong of the CA to issue an SSL certificate for exchange.corp except to the actual domain owner.

Microsoft Exchange AutoDiscovery URL

You may find that changing to using Fully Qualified Domain Names (FQDN) in your network presents problems with Microsoft Exchange. It is possible to reconfigure Exchange to use a FQDN rather than the NETBIOS name using the instructions provided here: http://support.microsoft.com/kb/940726



Related Articles

Login