Internal names in SSL/TLS Certificates end 11nd of November

A short blog to keep you up to speed and make sure you know that you have some work to do this year. Back in 2011 the CA/Browser forum took on a new baseline regarding the use of publicly used certificates.
The minutes of this meeting are found here
The effect of that meeting is that as of the 11nd of November you can’t get a certificate with an Subject Alternative Name (SAN) or a Subject Common Name field that contains an internal server name or reserved internal IP address.
on November 11, 2015, the issuance of certificates with a reserved IP address or internal server name is prohibited.
Let’s go even further, on the 1st of October all certificates that have a internal name registered will be revoked.
On October 1, 2016, all publicly trusted SSL/TLS certificates with an internal name or reserved IP address will be revoked and/or blocked by browser software.
As the mention providers have been aware of this since July 2012 and had to make sure their customers didn’t register certificates like this anymore. 
I don’t know if anyone uses certificates like this, I never seen it myself but I thought to share it to make you aware.

So what is deprecated?

  • Names like www, hr, mail etc
  • Internal addresses like
  • Internal names like www.local 
If you want to read more about this, the PDF is here.

Is this having effect on your local internal servers?

If you have an external certificate that you use throughout your entire network and you have internal names registered there, yeas it does. You will need to change that or face revocation of the certificate and errors connection to services.
If you have internal certificates deployed with an internal CA, don’t worry it will keep on working. This is only for external certificates.

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.