JOIN OUR AFFILIATE NETWORK

Join our affiliate network and become a local SSL expert

♦ learn more about our program ♦
Menu
picture of tbs certificates
picture of tbs certificates
Certificates
Our products range
Partners
Support
Focus


20120312 - SSL certificates: CN, SAN, IP and internal names

As of July 1, 2012 (Effective Date), the use of Certificates containing Reserved IP Address or Internal Name has been deprecated by the CA / Browser Forum and the practice will be eliminated by October 2016.

Notice: This measure is part of a bigger plan established by the CA/Browsers Forum. See Baseline Requirements Creation - V1

Definition - Internal Name: A string of characters (not an IP address) in a Common Name or Subject Alternative Name field of a Certificate that cannot be verified as globally unique within the public DNS at the time of certificate issuance because it does not end with a Top Level Domain registered in IANA’s Root Zone Database.

What consequences for your SSL certificates' validity dates?

According to this directive, the certification authorities will not issue a certificate expiring after November 1st, 2015 with a subjectAlternativeName (SAN) extension or Subject commonName (CN) field containing a Reserved IP Address or Internal Name.

The same way, from 1 October 2016, certification authorities will revoke all unexpired Certificates whose subjectAlternativeName extension or Subject commonName field contains a Reserved IP Address or Internal Name.

Overall, a domain name, should it be used for internal or external matters, containing a gTLD (generic Top Level Domain) or a ccTLD (country code TLD) which is unregistered by IANA , or otherwise not controlled by the applicant will be rejected. This includes, but is not limited to the use of .INT as an internal name.

We advise not to use internal domain names and to modify the domains the are currently in use, for example:

  • Use sub-domains of a domain that has previously been registered to your ISP, whether they are, or not, entered in the external DNS (server123.intranet.mydomain.com for example)

  • For a Microsoft environment, see Rename an active directory domain

What was accepted before November 1st 2015

Here under is a list of what will remain acceptable for internal use SSL certificates.

  • The following IP blocks are defined as private and non-routable over the internet, thus acceptable to be issued for internal use (see : RFC1918):

    • 10.0.0.0 – 10.255.255.255
    • 172.16.0.0 – 172.31.255.255
    • 192.168.0.0 – 192.168.255.255

  • Any single server name containing no dots, such as:

    • server1
    • mymailserver

  • The following internal use TLD's referenced in RFC2606 or in the register created by RFC6761:

    • .test
    • .example
    • .invalid
    • .localhost
    • .local
    • .lan
    • .priv
    • .localdomain

Any certificate request containing an unreserved TLD, that is not listed here above, will be examined on a case by case basis but will probably be denied.

WARNING: If you are using an internal top level domain (TLD) which is not currently a valid TLD, such as those above, or others which certification authorities may allow at their discretion for your internal use in this certificate request, please be advised that should such TLD become recognized by IANA/ICANN as a valid TLD this certificate will be revoked without further notice. Prior to the certificate being reinstated you will need to demonstrate domain ownership/control.

Consult the list of TLD being examined by the ICANN

For example, certificates in which the CN (Common Name) ends with .prod are not delivered by Comodo anymore since July 1st, 2012 even if this extension is not yet (and may never be) available at registrars.

The currently valid certificates using those TLDs may be revoked anytime without notice. The pending request are, for now, suspended.

Edit 20130318 - ICANN imposes new rules

ICANN publishes a new document defining new rules concerning the issuance of SSL certificates for internal domain name(s):

  • Within 30 days after ICANN has approved a new gTLD for operation, each Certification Authority must cease issuing Certificates containing a Domain Name that includes the new gTLD.
  • About the already issued certificates: Within 120 days after the publication of a contract for a new gTLD is published on, Certification Authorities must revoke each Certificate containing a Domain Name that includes the new gTLD.

TBS INTERNET WILL SUPPLY CERTIFICATES WITH INTERNAL NAMES UP UNTIL 2015-09-30

TBS INTERNET will keep issuing SSL certificates holding one or several internal names until September 30th, 2015.

Offer conditions: As of November 1st, 2015, SSL certificates securing internal names must have completely disappeared. Consequently, the certificates we will provide between November 1st 2014 and September 30 2015 must expire on October 30 2015.

The validity period of these certificates will then be shortened and you will loose the remaining days.

External links