[cabfpub] [cabfquest] Certificates for Internal server names

Ben Wilson ben at digicert.com
Wed May 22 22:07:15 UTC 2013

This is a public, follow-up response to a question about certificates for
Internal Names from Filip Dossche.


Filip asked (1) whether both an internal and external certificate will be
needed for hosts with internal server names and (2) how does the digicert
tool work? http://www.digicert.com/internal-domain-name-tool.htm ?  I'll
answer the first question last.


According to the Baseline Requirements "Internal Server Name" is one that is
"not resolvable using the public DNS."  


Publicly trusted CAs and Browsers are phasing out Internal Names in publicly
trusted SSL/TLS certificates totally by October 1, 2016.  Some of the
reasons for this may be found here -
https://www.cabforum.org/Guidance-Deprecated-Internal-Names.pdf   As
previously communicated, no CA should be issuing an SSL certificate with an
expiry date past November 1, 2015 that has an Internal Server Name, even if
it is not reachable from the Internet.  Also, all CAs should be advising all
customers receiving 1-year and 2-year certificates with Internal Names that
the practice is being phased out.

This presents a problem for many types of networks.  For enterprises
currently using MS Exchange with internal host name configurations that
still need a publicly trusted certificate but want to make the transition
now, Digicert created a free tool that will help convert those internal
names to FQDNs. 


Instructions for the tool indicate that you run it on any Exchange Client
Access Server AFTER you have already generated and installed the key pair
and a new FQDN-compliant certificate on all servers mentioned in the
certificate.  The tool does not change the actual certificate (you need to
get that certificate re-issued by the CA with FQDNs ahead of time), it
simply reconfigures Exchange's internal and external routing to comply with
industry best practices for domain naming with FQDNs instead of internal


So, to answer your first question, one solution is to convert your internal
names to FQDNs so that you can use the same certificate.  The tool is just
one example of how this can be done.  If you need more detail, please let me



-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.cabforum.org/pipermail/public/attachments/20130522/337ae23c/attachment-0002.html>

More information about the Public mailing list