The CA/Browser Forum is an unincorporated association of separate organizations that creates the guidelines that apply to all SSL certificate and browser providers. Since the effected date of 1 July 2012 Symantec has been notifying customers in regards to certificates with a SAN or Common Name (CN) field that contains a Reserved IP Address or Internal Server Name since they are being phased out due to CA/Browser Forum standards.
This one particular standard has some customers in a bind when renewing or enrolling into a CA signed SSL certificate. Below is the Standard.
9.2.1Subject Alternative Name Extension
Certificate Field: extensions:subjectAltName
Required/Optional: Required
Contents: This extension MUST contain at least one entry. Each entry MUST be either a dNSName containing the Fully-Qualified Domain Name or an iPAddress containing the IP address of a server. The CA MUST confirm that the Applicant controls the Fully-Qualified Domain Name or IP address or has been granted the right to use it by the Domain Name Registrant or IP address assignee, as appropriate.
Wildcard FQDNs are permitted.
As of the Effective Date of these Requirements, prior to the issuance of a Certificate with a subjectAlternativeName extension or Subject commonName field containing a Reserved IP Address or Internal Name, the CA SHALL notify the Applicant that the use of such Certificates has been deprecated by the CA / Browser Forum and that the practice will be eliminated by October 2016. Also as of the Effective Date, the CA SHALL NOT issue a certificate with an Expiry Date later than 1 November 2015 with a subjectAlternativeName extension or Subject commonName field containing a Reserved IP Address or Internal Name. Effective 1 October 2016, CAs SHALL revoke all unexpired Certificates whose subjectAlternativeName extension or Subject commonName field contains a Reserved IP
Address or Internal Name.
(More information about the CA/B Forum Baseline Requirements can be found at cabforum.org)
This standard means SSL certificates can only be issued to Fully Qualified Domain Names (FQDN) and can no longer be issued to Non-Valid internal names.
Example: | |
Valid FQDN’s | Non-Valid Internal |
abc.com | abc.local |
secure.abc.com | abcServer123 |
autodiscover.abc.com | 192.168.0.1 |
In response to this change customers have to take two main course of action:
- Change the common names and reissue their SSL certificates
- Move to certificates chained to a private root with two options:
- Develop a self-signed internal Certification Authority (CA)
- Use a Private CA from Symantec
To help our customers avoid the dangers of a self-signed CA, Symantec is now offering the Private CA.
The Symantec Private CA ensures:
- Compliance
- Support
- Reduces the time
- Reduce hidden costs of in house solutions.
This is offered though the Managed PKI for SSL Account. Use the same console to managed external as well as internal certificates. Ask your account manager for more details! More detailed Information on the Symantec Private CA can be found at www.Symantec.com/private-ssl