Security 101 07-10-2015

Replace Your Certificates for Internal Names

Flavio Martins

Your publicly trusted SSL Certificates issued to internal names or reserved IP addresses are going to expire by October 31, 2015. After this date, all internal connections that require a publicly trusted certificate must use names/IP addresses that are registered and verifiable. It does not matter if those services are publicly accessible.

Halloween may seem far away, but it will come quickly. If you put off replacing your publicly trusted, expiring internal name/reserved IP address SSL Certificates until then, your Halloween may turn out to be full of nasty tricks instead of tasty treats. The sooner you act the better it is for you, your company, and the Halloween plans you hope to keep.

You can read more about internal names here and find instructions for reconfiguring your Exchange servers here: Replace Your Certificates for Internal Names – Part II.

We recommend subscribing to this blog. We will keep it updated if additional information or changes are required. Also, please feel free to leave comments or questions. We will answer questions as they are received.

What Are Internal Names and Reserved IP Addresses?

Internal names include hosts and domains that cannot be registered or resolved in public DNS (e.g., server01 or server.local).

Reserved IP addresses cannot be registered for use on public networks. They include IPv4 or IPv6 addresses the Internet Assigned Numbers Authority (IANA) marks as reserved. The most common reserved ranges are 10.0.0.0-10.255.255.255, 172.16.0.0-172.31.255.255, and 192.168.0.0- 192.168.255.255. For additional information about reserved IP addresses, click here.

Reserved IP Address Note: From this point forward, we will use the term "internal names" to refer to both internal names and reserved IP addresses.

How to Replace Your Internal Name Certificates

All internal connections that require a publicly trusted certificate must use names or IP addresses that are registered and verifiable. It does not matter if those services are publicly accessible.

I. Check for Internal Names

  1. Select a Publicly Registered Domain
  2. Use the Internal Name Tracker to Reissue Your SSL Certificates
  3. Install the Reissued Certificates
  4. Reconfigure Your Servers and Environment
  5. Test SSL Certificate Installation

     

II. Check for Internal Names

First, verify the internal names used in your environment.

  1. Check Your Network and find out what internal names are being used, where they are being used, and which parts of your environment may need to be reconfigured (e.g., servers, DNS server, firewalls, etc.) when you begin replacing internal name certificates.
  2. Check Your SSL Certificates and decide which internal names you can remove and which ones you need to replace.

    1. Log into your DigiCert account.
    2. In your account, go to the Internal Name Certificates page.
      On the My Orders tab, in the "Warning" banner, click the Internal name certificate(s) link.
    3. All your certificates issued to internal names are listed on this page.

    4. To see what internal names are on a certificate, click the Details link for the certificate.

II. Select a Publicly Registered Domain

Before you replace your SSL Certificates, decide what publicly registered domain names you want to use in place of your internal names.

You can use your existing publicly registered domain name (e.g., domain.com), or you can purchase a new publicly registered domain name (e.g., internaldomain.com).

III. Use the Internal Name Tracker to Reissue Your Certificates

Use our Internal Name Tracker to quickly and easily remove and/or replace the internal names and then reissue the certificate.

Internal Name Tracker Note: Because all internal name certificates will expire before November 1, 2015, using the Internal Name Tracker to reissue your certificates does not revoke the original certificate or any duplicates. This provides you with the time to get everything ready for when you start installing your reissued certificates and reconfiguring your servers and environment.

In your DigiCert account on the Internal Names Certificates page, you will find a reissue option for each certificate and a replace option for each duplicate certificate. Before you reissue a certificate, review the name(s) on the certificate – internal and registered.

How to Reissue Your Certificates I (Public Name as Common Name) How to Reissue Your Certificates II (Internal Name as Common Name) How to Replace Your Duplicate Certificates

How to Reissue Your Certificates I (Public Name as Common Name)

Use this instruction for Unified Communications (UC) Certificates where the common name is a publicly registered domain name but some or all of the SANS names are internal names or reserved IP addresses.

  1. On the Internal Names Certificates page in your account, click Reissue to add # days.
  2. To Remove/Replace Internal NamesIn the Reissue Certificate window, do one of the following options (a or b): (a) Select Remove internal names from this certificate

    We list the internal names that will be removed.

    (b) Select Replace internal names on this certificate.

    We list the internal names that you need to replace and provide a box to enter the replacement name. In the box next to the internal name, enter the publicly registered name that you want to use to replace the internal name with (e.g., localhost.yourdomain -> localhost.yourdomain.com) on the certificate.

    Note: Adding new names will require validation to be completed before the new certificate is issued.
  3. To Create a CSR

    In the Reissue Certificate window, do one of the following options (a or b):(a) Select Rekey this certificate using the original CSR.

    We will use the original CSR submitted to reissue your UC Certificate.

    (b) Select Rekey this certificate using a new CSR.

    You need to generate a new CSR with the publicly registered domain on the server where the current certificate is installed. If you don't know where the private key is located, or if you feel more comfortable creating a new CSR, use this option.

    The support section of the DigiCert website has a number of support articles to answer any questions you have about creating a CSR.

    If you want a simple way to create a CSR that works on any Microsoft server platform, then use the DigiCert® Certificate Utility for Windows. See CSR Creation Instructions for Microsoft Servers.

  4. Reissue Your Certificate

    When you are finished removing or replacing the internal names on the certificate, click Reissue.

How to Reissue Your Certificates II (Internal Name as Common Name)

Use this instruction for UC Certificates where the common name is an internal name or reserved IP address, for SSL Plus Certificates, and for Wildcard Plus Certificates.

  1. On the Internal Names Certificates page in your account, click Reissue to add # days.
  2. To Create a CSR

    On the Reissue Certificate (Order #) page, do one of the following options (a or b):(a) Upload your CSR.

    Click the Click to upload a CSR link to browse for, select, and open your CSR file.

    (b) Paste your CSR.

    Use a text editor to open your CSR file. Then, copy the text, including the -----BEGIN NEW CERTIFICATE REQUEST----- and -----END NEW CERTIFICATE REQUEST----- tags, and paste it in to the request form in the area provided.

    The support section of the DigiCert website has a number of support articles to answer any questions you have about creating a CSR.

    If you want a simple way to create a CSR that works on any Microsoft server platform, then use the DigiCert® Certificate Utility for Windows. See CSR Creation Instructions for Microsoft Servers.

  3. Replace the Common NameSSL Plus and Wildcard Plus Certificates

    Replace the common name with a publicly registered domain name. For Wildcard Plus Certificates, the name format is *.domain.com (e.g. *.example.com).

    UC Certificates

    Replace the common name with a publicly registered domain name. You can use a new domain name or if one of the SANs is already publicly registered, one of the SANs names.

  4. Domain Names (SANs) to SecureUC and Wildcard Plus Certificates

    Add SANs:

    In the Domain Names (SANs) to Secure box, enter the replacement SANs (publicly registered domain names) that you want included in the reissued certificate.

  5. Server Platform

    Select the server on which the CSR was generated.

  6. Advanced Options

    Check Use a SHA-2 signature hash algorithm.

  7. Reason for reissue

    Add a comment about why you are reissuing the certificate (e.g., removing internal names form the certificate).

  8. Reissue Your Certificate

    When you are finished replacing and removing the internal names on the certificate, click Submit Reissue Request.

  9.  

How to Replace Your Duplicate Certificates

After reissuing the parent certificate, use this instruction to replace your duplicate certificates.

If you don’t want to replace your duplicate certificates because you plan to install the parent certificate on your additional servers, you can click Ignore to remove the duplicate certificate from the list. All internal name duplicates will expire before November 1, 2015 (most by October 20, 2015).

  1. On the Internal Names Certificates page in your account, click Replace.
  2. To Create a CSR

    On the Get A Duplicate Certificate (Order #) page, do one of the following options (a or b):(a) Upload your CSR.

    Click the Click to upload a CSR link to browse for, select, and open your CSR file.

    (b) Paste your CSR.

    Use a text editor to open your CSR file. Then, copy the text, including the -----BEGIN NEW CERTIFICATE REQUEST----- and -----END NEW CERTIFICATE REQUEST----- tags, and paste it in to the request form in the area provided.

    The support section of the DigiCert website has a number of support articles to answer any questions you have about creating a CSR.

    If you want a simple way to create a CSR that works on any Microsoft server platform, then use the DigiCert® Certificate Utility for Windows. See CSR Creation Instructions for Microsoft Servers.

  3. Common Name

    In the drop-down list, select the domain name that you want to use for the duplicate certificate.

  4. Server Platform

    Select the server on which the CSR was generated.

  5. Note

    Add a comment about why you are reissuing the certificate (e.g., removing internal names form the certificate).

  6. Advanced Options

    Check Use a SHA-2 signature hash algorithm.

  7. Replace Your Duplicate Certificate

    When you are finished, click Request Duplicate.

IV. Install the Reissued Certificates

Install your reissued certificate(s) on your server(s) along with any additional intermediate certificates they require.

The support section of our website has articles to answer any questions you have about installing certificates in your environment.

If you are using the DigiCert® Certificate Utility for Windows, you can install your certificate with just a few clicks. See SSL Certificate Importing Instructions: DigiCert Certificate Utility.

Note: To mitigate name mismatch errors, you need to do the steps in a specific order. For example, if you use DigiCert’s Internal Names tool to reconfigure your Exchange servers, you need to install the certificate and then reconfigure. Depending on your servers' requirements, you may need to install the certificates after you reconfigure your environment.

V. Reconfigure Your Servers and Environment

You need to reconfigure your servers and environment to use a publicly registered domain name.

  1. Reconfigure Your Servers

    After selecting the publicly registered domain name, you must reconfigure your servers so that the internal names are no longer required.For Exchange servers, see our blog Replace Your Certificates for Internal Names – Part II. In Apache, this may just involve updating the ServerName in your configuration. We'll cover some common reconfigurations in future blog posts.

  2. Reconfigure Your Environment

    After you've reconfigured your servers, you may need to reconfigure parts of your environment so that the internal names are no longer required. The most common environmental change would be to reconfigure your internal DNS server. For example, you may need to set up DNS records to resolve the external domain names to the internal IP addresses of your private servers so internal users can still access them.Let's say you had a certificate issued to an internal name, such as server01, that resolved to private IP address 192.168.0.1. To secure that connection with a certificate issued to a public domain name, you would need to configure the server to use a registered domain name, like server01.yourdomain.com. You would then set up an internal DNS record to resolve server01.yourdomain.com to the internal IP address 192.168.0.1.

    Other environmental changes may include reconfiguring firewalls, proxy servers, load balancers, or other network appliances and devices set up to use the internal name.

  3.  

VI. Test SSL Certificate Installation

The last step is to test your website and make sure the certificates are installed correctly and working properly. You can use DigiCert Certificate Inspector to find any problems with installation and to ensure your servers are configured correctly.

UP NEXT
PKI

3 Surprising Uses of PKI in Big Companies and How to Ensure They Are all Secure

5 Min

Featured Stories

07-03-2024

What is a CA’s Role in delivering digital trust?

Why certificate automation is an absolute must

11-15-2024

4 steps to secure the IIoT device lifecycle