New rules in SSL/TLS Certificates issuance – cancelling the internal names and the reserved IP addresses

For the liquidation of the companies’ vulnerabilities, including the end-users on the Internet, the security standards are continually reviewed. 

Thus, in accordance with the new Baseline Requirements of CA/Browser Forum adopted in July 2012 the utilization of the internal names and for the SSL issued certificates reserved IP addresses will be phased out. This involves the issued certificates recognizing computers acting as servers.

Important Certification Authorities steps:

  1. The Certification Authorities shall announce all the applicants about this decision.
  2. Therefore, all SSL Certificates which will contain reserved IP address or internal server name will be revoked or will be blocked by the browser software since 1 October 2016.
  3. Moreover, this kind of SSL Certificates will be issued with an expiry date before 1 November 2015.

The primary reasons of the deprecation

These certificates are deprecated because they are posing to risk not only the corporate network, but also other systems.

  1. The limitless ICANN list of the domain extensions contains among other qualified domains that used to be internal domain. Thus, it will be incorrect for the Certification Authorities to issue an SSL Certificate for a wrong domain extension, except the case the request is done by its’ truly owner.
    The wrong application of the internal names could happen; the possibility to obtain a Certificate with a common name is high. Thus, any possible attacker can use this kind of Certificate to bring it to a corporate network and consequently, steal confidential corporate information, not being directly connected to the corporate network.
  2. Even for the system using certificates for qualified names, the unqualified names can be valid in other authentication context. If the cryptographic channel is not configured, it can allow any attacker with an unqualified name certificate to earn access to the local network resources as a habitual user, while it uses a fully qualified Certificate.

Consequently the certificates’ issuance for common names is deprecated.

However, in case that a company uses an SSL Certificate with internal name, it is recommended to configure the servers to use a public name or switch to a Certificate issued by an internal CA before 1 November 2015.

For the e-commerce companies in particular it essentially demanded the utilization of an SSL Certificate on the web-site.

The provides a large diversity of SSL Certificates, suitable for different enterprises’ web-sites. You can choose the most appropriate from the list, accessing the following link: