+45 77 34 56 78

phasing out internal server names

Cabforum, which all major certificate issuers and browser producers are part of, has agreed on a series of requirements all certificate issuers has to abide by.


One of these requirements is to rapidly phase out internal server names in SSL-certificates from all publicly recognized certificate issuers.

The reason for this is to protect against Ma-in-The-Middle (MTM) attacks where it's possible to pretend being an internal server using a publicly recognized SSL-certificate.


FairSSLs recommendation for our customers
  • When installing new systems, configure them without the use of internal server names if at all possible, fx. through split DNS
  • Alternatively use an internal CA in combination with a public SSL-certificate. (we can assist/inform about internal PKI solutions)

 


Which server names are internal

Following is some examples of internal server names. If a certificate contains one of these it will no longer be accepted:

  • server01
  • exch01.fairssl.local
  • srv01.domain.lan
  • localhost
  • 192.168.100.10
  • 10.0.0.10

Full details about this and other requirements can be read in the requirements document CA/Browser Forum - Baseline Requirements - v.1.0

Back