Nov 2015: No More SSL Certs with Internal Names

In July 2012, the CA/Browser Forum, the industry standards board for Certificate Authorities and the browsers that use Certificates, made a decision to deprecate the usage of reserved IP addresses and internal names for certificates, effective November 1st 2015. All such certificates still outstanding must be revoked by October 31, 2016

Internal Names
An internal name is a domain in a private network that is not resolvable using the public Domain Name System (DNS). It does not have a domain suffix or the suffix is not a public domain name. For example, my.mailserver.local or company.us.internal

A malicious actor with these certificates could go on to perform man-in-the-middle attacks on closed networks such as public or corporate WiFi. Some of these previously internal names may now even be registered in public DNS with the introduction of the new gTLDs. One example would be the new gTLD ‘.exchange’.

Trusted certificates issued by certificate authorities are generally issued to ‘real’ public domain names, such as ‘www.sslpoint.com’. The certificate authority can validate that a single organization has unique control or ownership of such a ‘real’ domain name before signing and issuing the certificate.

Therefore, it meant that anyone could obtain a trusted certificate for the internal names.

If you are using internal names, you must configure those servers to use a fully qualified domain name (FQDN) before November 1, 2015.