New Rules for Public Certificates

Hallo zusammen,

Es gibt einige Änderungen was öffentliche SSL Zertifikate betrifft. Interne IP's und Interne Domains dürfen nicht mehr im Subject Alternative Name (SAN) eines Zertifikats eingetragen werden.

Hier einige Dokumente welche das beschreiben

• Baseline Requirements for the Issuance and Management of Publicly-Trusted Certificates, v.1.0
• CA/Browser Forum: Internal Server Names and IP Address Requirements for SSL

Eine gute Zusammenfassung was das Bedeutet gibt es auf dem NextHop Blog "How Changes to Public Certification Authority Standards Will Affect You

• The Subject Name / Common Name field is deprecated and discouraged for use.
• IP addresses and DNS names not registered with public DNS and IP address authorities are no longer able to acquire public certification authority certificates, affecting external Web server communication over HTTPS, or other communications that require a public certificate.
• Public certificates issued after November 1, 2015 must follow these rules.
• Public certificates in use on October 1, 2016 will be forcibly expired, requiring the owner to request a new certificate that complies with the rules.
• If you need to support an internal domain name or IP address scope that is either not assigned to you or is in the private IP address range for use for private networks, you must use an internal private/enterprise PKI to issue all internal certificates for your user and server purposes.