In July 2012, the CA/Browser Forum, the industry standards board for Certificate Authorities and the browsers that use Certificates, made a decision to deprecate the usage of reserved IP addresses and internal names for certificates, effective November 1st 2015. All such certificates still outstanding must be revoked by October 31, 2016.
Sectigo WILL NOT issue a certificate with an Expiry Date later than 1 November 2015 with a subjectAlternativeName (SAN) extension or Subject commonName (CN) field containing a Reserved IP Address or Internal Server Name.
An internal name is a domain in a private network that is not resolvable using the public Domain Name System (DNS). It does not have a domain suffix or the suffix is not a public domain name. For example, clifton.nj.local or Manchester.uk.internal
A malicious actor with these certificates could go on to perform man-in-the-middle attacks on closed networks such as public or corporate WiFi. Some of these previously internal names may now even be registered in public DNS with the introduction of the new gTLDs. One example would be the new gTLD ‘.exchange’.
Trusted certificates issued by certificate authorities like Sectigo are generally issued to ‘real’ public domain names, such as ‘sectigo.com’. The certificate authority can validate that a single organization has unique control or ownership of such a ‘real’ domain name before signing and issuing the certificate.
Therefore, it meant that anyone could obtain a trusted certificate for the internal names.
A reserved IP address is an IPv4 or IPv6 address that the IANA has marked as reserved: These IP addresses may be used for maintenance of routing tables, multicast, operation under failure modes, or to provide addressing space for public, unrestricted uses.
Sectigo’s time table for phasing out Internal Names and Reserved IP addresses is as follows:
If you are using internal names, you must configure those servers to use a public name or switch to a certificate issued by an internal CA before November 1, 2015.
There are several options available. One option is to reconfigure any systems to use a publicly-registered domain name. The fully-qualified name in the certificate does not need to resolve in public DNS, or be accessible from the public internet. For example, migrating ‘myserver.local’ to ‘myserver.mydomain.com’ does not mean that the server needs to be accessible on the internet, or the DNS record for ‘myserver.mydomain.com’ be resolved outside of your network. A second option would be to use a self signed certificate for intranet use.
A blog post with further information and guidance from the CA Security Council is available here: https://casecurity.org/2014/07/18/what-to-do-when-you-rely-on-internal-names-in-tlsssl-certificates/
Should you have any questions regarding the issuance of certificates with internal names, the status of existing certificates or if you require general advice with any of the points raised in this document, please contact a Sectigo Account Manager or Sectigo Support by submitting a ticket here.