The CA/Browser Forum recently published Baseline Requirements for CAs issuing SSL. Major software vendors have announced that they will integrate the standard into their distribution programmes for all trusted CA roots.
Section 9.2.1 of the Baseline Requirements deprecates the use of “non-unique names” in publicly-trusted SSL. There are growing concerns that this practice may create vulnerabilities which allow attackers to perform "man in the middle" attacks and eavesdrop on secure connections.
As a result, trusted CAs must phase out the use of internal server names and reserved IP addresses in the Subject commonName field or SubjectAlternativeName extension of trusted SSL according to the following schedule:
- July 1, 2012:
- CAs must start to notify customers that the practice has been deprecated.
- CAs may not issue affected SSL with an Expiry Date later than November 1, 2015.
- October 1, 2016:
- CAs must revoke all remaining unexpired affected SSL.
To limit their risk, we recommend that customers begin using Fully Qualified Domain Names to access internal resources and stop using certificates containing internal server names and private IP addresses as soon as possible.
QuoVadis will provide transition information for affected users of Trust/Link Enterprise.
Fully-Qualified Domain Name
: A registered Domain Name that includes the labels of all superior nodes in the Internet Domain Name System (DNS). For example: example.quovadisglobal.com. NOTE: this means you must use a registered domain name but does not mean that domain must be reachable from the public Internet.
Internal Server Name
: A Server Name (which may or may not include an unregistered Domain Name) that is not resolvable using the public DNS. For example: mail, exchange, exch01, example.local, or localhost.
Reserved IP Address
: An IPv4 or IPv6 address that the IANA has marked as reserved:
QuoVadis Deprecated Certificate Guidance for internal hostnames and private IP addresses