3rd party SSL Certificates to Expire

All publicly trusted SSL Certificates issued to internal names and reserved IP addresses will expire by November 1, 2015.

In November 2011 the CA/Browser Forum (CA/B) adopted Baseline Requirements for the Issuance and Management of Publicly-Trusted Certificates, which took effect on July 1, 2012.

The requirements stated:

  • CAs should notify applicants prior to issuance that use of certificates with a Subject Alternative Name (SAN) extension or a Subject Common Name field containing a reserved IP address or internal server name has been deprecated by the CA/B.
  • CAs should not issue a certificate with an expiration date later than November 1, 2015 with a SAN or Subject Common Name field containing a reserved IP address or internal server Name.

To read the rest of the article from DigiCert click here.

What does this mean for you?

If you have a publicly issued certificate for a server/network resource using a name like:

  • web1
  • web1.internal-only-domain.com
  • web1.domain.local
  • web1.domain.internal
  • 192.168.x.x
  • 10.x.x.x
  • 172.16.x.x

That certificate will expire by Nov 1, 2015. This will most likely effect Exchange deployments due to the high number of sites that use internal domain names for their exchange resources. Internal CA’s certificates will continue to work. This will only effect how 3rd parties issue and deal with these types of certificates.

More information can be found at the following links: