About Me

My Photo
TsooRad is a blog for John Weber. John is a Lync Server MVP (2010-2014). My day job is titled "Principal Consulting Engineer" - I work with an awesome group of people at CDW, LLC. I’ve been at this gig in one fashion or another since 1988 - starting with desktops (remember Z-248’s?) and now I am in Portland, Oregon. I focus on collaboration and infrastructure. This means Exchange of all flavors, LCS/OCS/Lync, Windows, business process, and learning new stuff. I have a variety of interests - some of which may rear their ugly head in this forum. I have a variety of certifications dating back to Novell CNE and working up through the Microsoft MCP stack to MCITP multiple times. FWIW, I am on my third career - ex-USMC, retired US Army. I have a fancy MBA. One of these days, I intend to start teaching. The opinions expressed on this blog are mine and mine alone.

2012/10/02

Private Domain Certificates

Today, you can get a public Certificate Authority  - DigiCert, Entrust, etc – to issue you a trusted certificate for your internal domain.  For instance, if you have an internal AD name such as domain.local, or domain.tld, or any other that is not registered according to the governing body, then your certificate provider will issue you a certificate for the FQDN of your internal servers and your devices will trust that certificate providing your devices trust the issuer – standard fare for most of the public CA issuers.

In an effort to tighten security on the Internet by creating more stringent standards, the CA/Browser Forum recently formulated new guidelines in their Baseline Requirements for issuing SSL certificates.

One of the new changes is the elimination of certificates using internal names. This change makes it impossible to obtain a publicly trusted certificate for any host name that cannot be externally verified as being owned by the organization that is requesting the certificate.  According to this CA/Browser  document:

Effective 1 October 2016, CAs SHALL revoke all unexpired Certificates whose subjectAlternativeName extension or Subject commonName field contains a Reserved IP Address or Internal Server Name.

In addition, it appears that internal name certificates will NOT be issued after 1 Nov 2015.  Or, at least DigiCert will not issue them after that date:

In accordance with this new standard, DigiCert will no longer issue certificates to these internal names with expiration dates after November 1, 2015.

If you fall into this category, you should begin planning now to: a) deploy internal PKI and figure out how that action will change your environment(s); or b) change your internal AD DS name (yuk!).

Interesting note:  www.digicert.com is already planning ahead to help you out!  See this nifty tool.

YMMV

No comments: