SAN internal names end of support
Hi,
The following document https://www.cabforum.org/Baseline_Requirements_V1.pdf, section 9.2.1, states :
As of the Effective Date of these Requirements, prior to the issuance of a Certificate with a subjectAlternativeName
extension or Subject commonName field containing a Reserved IP Address or Internal Server Name, the CA
SHALL notify the Applicant that the use of such Certificates has been deprecated by the CA / Browser Forum and
that the practice will be eliminated by October 2016. Also as of the Effective Date, the CA SHALL NOT issue a
certificate with an Expiry Date later than 1 November 2015 with a subjectAlternativeName extension or Subject
commonName field containing a Reserved IP Address or Internal Server Name. Effective 1 October 2016, CAs
SHALL revoke all unexpired Certificates whose subjectAlternativeName extension or Subject commonName field
contains a Reserved IP Address or Internal Server Name
It sounds like SRV-EXC01 or myserver.mydomain.local names won't be allowed anymore in SSL SAN certificates issued by official CA's.
Any feedback about that ?
Christian G.
May 31st, 2012 12:00pm
Hi
Yes, this change is coming in over the next 3 - 4 years. It is already best practice in Exchange 2010 to use split DNS and not have any internal names on the certificate.
Cheers, Steve
Free Windows Admin Tool Kit Click here and download it now
May 31st, 2012 12:21pm