Confirm, administrator
5,526
edits
Changes
→Certificates referencing hostnames or private IP addresses
[http://www.globalsign.com/resources/white-paper-internal-server-names-ip-address-requirements.pdf Guidance on the Deprecation of Internal Server Names and Reserved IP Addresses]
[http://www.cabforum.org/documents.html CA/Browser Forum Baseline Requirements for the Issuance and Management of Publicly-Trusted Certificates], BR 9.2.1(section 7.1.4.2.1 in BR version 1.3):] “As of the Effective Date of these Requirements, prior to the issuance of a Certificate with a subjectAlternativeName (SAN) extension or Subject Common Name field containing a Reserved IP Address or Internal Server Name, the CA shall notify the Applicant that the '''use of such Certificates has been deprecated by the CA / Browser Forum and that the practice will be eliminated by October 2016'''. Also as of the Effective Date, the CA shall not issue a certificate with an Expiry Date later than 1 November 2015 with a SAN or Subject Common Name field containing a Reserved IP Address or Internal Server Name. As from 1 October 2016, CAs shall revoke all unexpired Certificates.”
It is also a problematic practice to issue a certificate with non resolvable DNS or private IP and resolvable DNS adresses together.
