Confirmed users, Administrators
5,526
edits
CA/Forbidden or Problematic Practices: Difference between revisions
Jump to navigation
Jump to search
CA/Forbidden or Problematic Practices (view source)
Revision as of 20:38, 20 November 2009
, 20 November 2009→Issuing SSL Certificates for Internal Domains
| Line 14: | Line 14: | ||
=== Issuing SSL Certificates for Internal Domains === | === Issuing SSL Certificates for Internal Domains === | ||
There are various problems associated with issuing certificates for servers on internal networks under the same CA hierarchy as certificates for servers on public networks. Section 7 of [http://www.mozilla.org/projects/security/certs/policy/ Mozilla’s CA Certificate Policy] states that CAs need to take reasonable measures to verify that the entity submitting the certificate signing request owns/controls the domain to be referenced in the certificate. However, there still are CAs who issue SSL/TLS certificates with domain names referencing hostnames, non-valid TLDs and (internal) IP addresses. In the future Mozilla may elect to update the CA Certificate Policy to add more specifically disallow internal domain names in SSL certificates. | |||
If you issue certificates for internal domains within your CA hierarchy, Mozilla requests that you take the following actions: | If you issue certificates for internal domains within your CA hierarchy, Mozilla requests that you take the following actions: | ||
# Perform an internal audit to look for certificates that have been issued within your CA hierarchy which have .int domain names in the Common Name and/or as DNS Names in the subjectAlternativeName. For each of these certificates, check to see if the certificate subscriber owns/controls that domain name, and revoke the certificate if they do not own/control that domain name. | # Perform an internal audit to look for certificates that have been issued within your CA hierarchy which have .int domain names in the Common Name and/or as DNS Names in the subjectAlternativeName. For each of these certificates, check to see if the certificate subscriber owns/controls that domain name, and revoke the certificate if they do not own/control that domain name. | ||
# Review your controls/procedures (both internally and your RAs) for correct identification of internal and external domain names and verification that subscribers own/control the domain name to be included in their certificate. Please refer to these documents: | # Review your controls/procedures (both internally and your RAs) for correct identification of internal and external domain names and verification that subscribers own/control the domain name to be included in their certificate. Please refer to these documents: | ||
#* Section 7 of [http://www.mozilla.org/projects/security/certs/policy/ Mozilla’s CA Certificate Policy] | #* Section 7 of [http://www.mozilla.org/projects/security/certs/policy/ Mozilla’s CA Certificate Policy] | ||
#* [[CA:Recommended_Practices|Recommended practices for CAs]] | #* [[CA:Recommended_Practices|Recommended practices for CAs]] | ||