Issuance of New ICANN Generic Top-Level Domains Invalidates Many SSL Certificates with Internal Names

In June 2011, ICANN approved the New Generic Top-Level Domain Program (gTLD) which allows organizations, individuals, and governments to apply for top level namespaces. Previously, there were roughly two dozen generic Top-Level Domains (TLDs) such as .com, .net, and .org, as well as numerous country-specific TLDs. Once TLDs are approved, Certificate Authorities (CAs) will no longer be able to issue certificates for them—except to their verified registrants—and existing certificates for those names will be revoked. These changes will impact all SSL Certificates issued to the affected internal names, regardless of what CA issued the certificate.

To help our customers adjust to this change, DigiCert developed a free Internal Name Tool for Microsoft Exchange that makes it fast and easy to switch to public domain names.

Background

Historically, domain owners could use a wide variety of non-registered TLDs for internal sites on their networks. Server names such as .corp, .mail, and .site are all examples of commonly used names that have all been applied for as gTLDs. After these names are approved by ICANN these names will become resolvable in the DNS and parties will need to stop using them on internal networks to avoid collisions. The validation process for SSL Certificates ensures that only the owner of a domain name can acquire certificates for that name. Thus, these Top Level Domains will not be eligible for certificates except to entities that are authorized registrants. Existing certificates with these names—unless the certificate's subject registers the domain prior to the revocation deadline—will be revoked.

In addition to this change by ICANN, in November 2011 the CA/Browser Forum (CA/B) adopted Baseline Requirements for the Issuance and Management of Publicly-Trusted Certificates that phases out the issuance of new certificates using internal names. Details of that decision and its impact can be seen on our page about internal name SSL Certificates. These baseline requirements have also been adopted into global auditing standards such as the WebTrust and ETSI standards for Certificate Authorities (CAs).

Which New gTLDs Will be Approved?

The following commonly-used generic Top-Level Domains may be approved:

  • .corp
  • .mail
  • .site
  • .email
  • .dev
  • .network
  • .prod
  • .web
  • .home
  • .new

For a full list, please visit ICANN's full list of requested names for approval here.

What Does This Mean for You?

Admins managing SSL Certificates registered to certain local names will need to re-configure their servers to only use public names. Internal connections that require a publicly-trusted certificate must use registered domain names. Only registrars and registrants obtaining a domain name from the official registrars of the new gTLDs will be able to request certificates for the affected top-level domains.

Reconfigure Applications to Use External Names

The best practice is to avoid using internal names on your network since additional gTLDs may be approved starting this year. Furthermore, the CA/B Forum’s Baseline Requirements prevent CAs from issuing internal name certificates that expire after November 1, 2015, regardless of whether you are immediately impacted by the new changes implemented by ICANN.

Since DigiCert issues quite a few SSL Certificates for Microsoft Exchange, you can check your configuration and start working around potential issues created by the release of new gTLDs with our free Internal Name Tool for Microsoft Exchange. You can use this tool to reconfigure Exchange’s Autodiscover service and SCPs to use public names on your network. You can also complete the process manually by following the instructions on this page.

We're Here to Help

If you are uncertain whether your current SSL Certificates are going to be affected by this change, feel free to contact DigiCert Support. While we don’t have any control over what new domains that ICANN enables, we can help you navigate your way through these changes to your SSL Certificates.