Your publicly trusted SSL Certificates issued to internal names or reserved IP addresses are going to expire by October 31, 2015. After this date, all internal connections that require a publicly trusted certificate must use names/IP addresses that are registered and verifiable. It does not matter if those services are publicly accessible.
Halloween may seem far away, but it will come quickly. If you put off replacing your publicly trusted, expiring internal name/reserved IP address SSL Certificates until then, your Halloween may turn out to be full of nasty tricks instead of tasty treats. The sooner you act the better it is for you, your company, and the Halloween plans you hope to keep.
You can read more about internal names here and find instructions for reconfiguring your Exchange servers here: Replace Your Certificates for Internal Names – Part II.
We recommend subscribing to this blog. We will keep it updated if additional information or changes are required. Also, please feel free to leave comments or questions. We will answer questions as they are received.
Internal names include hosts and domains that cannot be registered or resolved in public DNS (e.g., server01 or server.local).
Reserved IP addresses cannot be registered for use on public networks. They include IPv4 or IPv6 addresses the Internet Assigned Numbers Authority (IANA) marks as reserved. The most common reserved ranges are 10.0.0.0-10.255.255.255, 172.16.0.0-172.31.255.255, and 192.168.0.0- 192.168.255.255. For additional information about reserved IP addresses, click here.
Reserved IP Address Note: From this point forward, we will use the term "internal names" to refer to both internal names and reserved IP addresses.
All internal connections that require a publicly trusted certificate must use names or IP addresses that are registered and verifiable. It does not matter if those services are publicly accessible.
First, verify the internal names used in your environment.
All your certificates issued to internal names are listed on this page.
Before you replace your SSL Certificates, decide what publicly registered domain names you want to use in place of your internal names.
You can use your existing publicly registered domain name (e.g., domain.com), or you can purchase a new publicly registered domain name (e.g., internaldomain.com).
Use our Internal Name Tracker to quickly and easily remove and/or replace the internal names and then reissue the certificate.
Internal Name Tracker Note: Because all internal name certificates will expire before November 1, 2015, using the Internal Name Tracker to reissue your certificates does not revoke the original certificate or any duplicates. This provides you with the time to get everything ready for when you start installing your reissued certificates and reconfiguring your servers and environment.
In your DigiCert account on the Internal Names Certificates page, you will find a reissue option for each certificate and a replace option for each duplicate certificate. Before you reissue a certificate, review the name(s) on the certificate – internal and registered.
How to Reissue Your Certificates I (Public Name as Common Name) How to Reissue Your Certificates II (Internal Name as Common Name) How to Replace Your Duplicate Certificates
Use this instruction for Unified Communications (UC) Certificates where the common name is a publicly registered domain name but some or all of the SANS names are internal names or reserved IP addresses.
We list the internal names that will be removed.
(b) Select Replace internal names on this certificate.We list the internal names that you need to replace and provide a box to enter the replacement name. In the box next to the internal name, enter the publicly registered name that you want to use to replace the internal name with (e.g., localhost.yourdomain -> localhost.yourdomain.com) on the certificate.
Note: Adding new names will require validation to be completed before the new certificate is issued.In the Reissue Certificate window, do one of the following options (a or b):(a) Select Rekey this certificate using the original CSR.
We will use the original CSR submitted to reissue your UC Certificate.
(b) Select Rekey this certificate using a new CSR.You need to generate a new CSR with the publicly registered domain on the server where the current certificate is installed. If you don't know where the private key is located, or if you feel more comfortable creating a new CSR, use this option.
The support section of the DigiCert website has a number of support articles to answer any questions you have about creating a CSR.
If you want a simple way to create a CSR that works on any Microsoft server platform, then use the DigiCert® Certificate Utility for Windows. See CSR Creation Instructions for Microsoft Servers.
When you are finished removing or replacing the internal names on the certificate, click Reissue.
Use this instruction for UC Certificates where the common name is an internal name or reserved IP address, for SSL Plus Certificates, and for Wildcard Plus Certificates.
On the Reissue Certificate (Order #) page, do one of the following options (a or b):(a) Upload your CSR.
Click the Click to upload a CSR link to browse for, select, and open your CSR file.
(b) Paste your CSR.Use a text editor to open your CSR file. Then, copy the text, including the -----BEGIN NEW CERTIFICATE REQUEST----- and -----END NEW CERTIFICATE REQUEST----- tags, and paste it in to the request form in the area provided.
The support section of the DigiCert website has a number of support articles to answer any questions you have about creating a CSR.
If you want a simple way to create a CSR that works on any Microsoft server platform, then use the DigiCert® Certificate Utility for Windows. See CSR Creation Instructions for Microsoft Servers.
Replace the common name with a publicly registered domain name. For Wildcard Plus Certificates, the name format is *.domain.com (e.g. *.example.com).
UC Certificates
Replace the common name with a publicly registered domain name. You can use a new domain name or if one of the SANs is already publicly registered, one of the SANs names.
Add SANs:
In the Domain Names (SANs) to Secure box, enter the replacement SANs (publicly registered domain names) that you want included in the reissued certificate.
Select the server on which the CSR was generated.
Check Use a SHA-2 signature hash algorithm.
Add a comment about why you are reissuing the certificate (e.g., removing internal names form the certificate).
When you are finished replacing and removing the internal names on the certificate, click Submit Reissue Request.
After reissuing the parent certificate, use this instruction to replace your duplicate certificates.
If you don’t want to replace your duplicate certificates because you plan to install the parent certificate on your additional servers, you can click Ignore to remove the duplicate certificate from the list. All internal name duplicates will expire before November 1, 2015 (most by October 20, 2015).
On the Get A Duplicate Certificate (Order #) page, do one of the following options (a or b):(a) Upload your CSR.
Click the Click to upload a CSR link to browse for, select, and open your CSR file.
(b) Paste your CSR.Use a text editor to open your CSR file. Then, copy the text, including the -----BEGIN NEW CERTIFICATE REQUEST----- and -----END NEW CERTIFICATE REQUEST----- tags, and paste it in to the request form in the area provided.
The support section of the DigiCert website has a number of support articles to answer any questions you have about creating a CSR.
If you want a simple way to create a CSR that works on any Microsoft server platform, then use the DigiCert® Certificate Utility for Windows. See CSR Creation Instructions for Microsoft Servers.
In the drop-down list, select the domain name that you want to use for the duplicate certificate.
Select the server on which the CSR was generated.
Add a comment about why you are reissuing the certificate (e.g., removing internal names form the certificate).
Check Use a SHA-2 signature hash algorithm.
When you are finished, click Request Duplicate.
Install your reissued certificate(s) on your server(s) along with any additional intermediate certificates they require.
The support section of our website has articles to answer any questions you have about installing certificates in your environment.
If you are using the DigiCert® Certificate Utility for Windows, you can install your certificate with just a few clicks. See SSL Certificate Importing Instructions: DigiCert Certificate Utility.
Note: To mitigate name mismatch errors, you need to do the steps in a specific order. For example, if you use DigiCert’s Internal Names tool to reconfigure your Exchange servers, you need to install the certificate and then reconfigure. Depending on your servers' requirements, you may need to install the certificates after you reconfigure your environment.
You need to reconfigure your servers and environment to use a publicly registered domain name.
After selecting the publicly registered domain name, you must reconfigure your servers so that the internal names are no longer required.For Exchange servers, see our blog Replace Your Certificates for Internal Names – Part II. In Apache, this may just involve updating the ServerName in your configuration. We'll cover some common reconfigurations in future blog posts.
After you've reconfigured your servers, you may need to reconfigure parts of your environment so that the internal names are no longer required. The most common environmental change would be to reconfigure your internal DNS server. For example, you may need to set up DNS records to resolve the external domain names to the internal IP addresses of your private servers so internal users can still access them.Let's say you had a certificate issued to an internal name, such as server01, that resolved to private IP address 192.168.0.1. To secure that connection with a certificate issued to a public domain name, you would need to configure the server to use a registered domain name, like server01.yourdomain.com. You would then set up an internal DNS record to resolve server01.yourdomain.com to the internal IP address 192.168.0.1.
Other environmental changes may include reconfiguring firewalls, proxy servers, load balancers, or other network appliances and devices set up to use the internal name.
The last step is to test your website and make sure the certificates are installed correctly and working properly. You can use DigiCert Certificate Inspector to find any problems with installation and to ensure your servers are configured correctly.