Menu
picture of tbs certificates
picture of tbs certificates
Certificates
Our products range
Partners
Support
Focus


20120312 - SSL certificates: CN, SAN, IP and internal names

As of July 1, 2012 (Effective Date), the use of Certificates containing Reserved IP Address or Internal Name has been deprecated by the CA / Browser Forum and the practice will be eliminated by October 2016.

Note: This is part of a larger plan by the CA/Browsers Forum. See Baseline Requirements Creation - V1

Definition - Internal Name: Refers to a character string (not an IP address) present in the CN (Common Name) or SAN (Subject Alternative Name) field of the certificate and which cannot be proven to be globally unique within the public DNS at the time the certificate is issued because it does not end with a Top Level Domain registered at IANA.

What consequences for your SSL certificates' validity dates?

According to this directive, the certification authorities will not issue a certificate expiring after November 1st, 2015 with a subjectAlternativeName (SAN) extension or Subject commonName (CN) field containing a Reserved IP Address or Internal Name.

The same way, from 1 October 2016, certification authorities will revoke all unexpired Certificates whose subjectAlternativeName extension or Subject commonName field contains a Reserved IP Address or Internal Name.

In general, a domain name, whether for internal or external use, containing an unregistered gTLD (generic Top Level Domain) or a ccTLD (country code TLD) that is not registered or controlled by IANA will be rejected. This includes (but is not limited to) the use of .INT as an internal name.

We advise not to use internal domain names and to modify the domains the are currently in use, for example:

  • Use sub-domains of a domain that has previously been registered to your ISP, whether they are, or not, entered in the external DNS (server123.intranet.mydomain.com for example)

  • For a Microsoft environment, see Rename an active directory domain

What was accepted before November 1st 2015

Here under is a list of what will remain acceptable for internal use SSL certificates.

  • The following IP blocks are defined as private and non-routable over the internet, thus acceptable to be issued for internal use (see : RFC1918):

    • 10.0.0.0 – 10.255.255.255
    • 172.16.0.0 – 172.31.255.255
    • 192.168.0.0 – 192.168.255.255

  • Any single server name containing no dots, such as:

    • server1
    • mymailserver

  • The following internal use TLD's referenced in RFC2606 or in the register created by RFC6761:

    • .test
    • .example
    • .invalid
    • .localhost
    • .local
    • .lan
    • .priv
    • .localdomain

Any certificate request containing an unreserved TLD, that is not listed here above, will be examined on a case by case basis but will probably be denied.

WARNING: A Certificate Authority may agree (at its discretion) to issue a certificate containing an invalid Internal TLD not listed above. NOTE that if this TLD is recognized by IANA / ICANN as being valid, this certificate will be immediately revoked without notice. You will be required to prove that you own or control the domain before the certificate can be reissued.

Consult the list of TLD being examined by the ICANN

For example, certificates with an address in the CN (Common Name) ending in ".prod" are no longer issued by the Comodo authority since July 1, 2012, even if this extension is not yet available from a "registrar".

The currently valid certificates using those TLDs may be revoked anytime without notice. The pending request are, for now, suspended.

Edit 20130318 - ICANN imposes new rules

ICANN today published a document defining new rules for issuing SSL certificates to secure one or more internal domains:

  • Within 30 days after ICANN has approved a new gTLD for operation, each Certification Authority must cease issuing Certificates containing a Domain Name that includes the new gTLD.
  • About the already issued certificates: Within 120 days after the publication of a contract for a new gTLD is published on, Certification Authorities must revoke each Certificate containing a Domain Name that includes the new gTLD.

TBS INTERNET WILL SUPPLY CERTIFICATES WITH INTERNAL NAMES UP UNTIL 2015-09-30

TBS INTERNET will keep issuing SSL certificates holding one or several internal names until September 30th, 2015.

Offer conditions: As of November 1st, 2015, SSL certificates securing internal names must have completely disappeared. Consequently, the certificates we will provide between November 1st 2014 and September 30 2015 must expire on October 30 2015.

The validity period of these certificates will then be shortened and you will loose the remaining days.

External links