Deprecation of ssl certificates securing internal domains: why, when and what to do


From the 31st October 2015, SSL certificates will be unable to secure local domains, internal IPs and server names. However SSL247® is offering a FREE solution* to keep your internal domain names secured:

  • Rename your local domains (.local, .lac, .loc) free
  • As a result of the renamed domain**your internal services stays secured.
    (Offer is subject to purchasing an SSL certificate with a minimum duration of 3 years***)

At SSL247® we understand your concerns regarding the transition, especially if you use applications from Microsoft like Exchange. To address these concerns, SSL247® has a process in place for 2007-2010 versions of Microsoft Exchange. For alternative types of servers, please contact your account manager who will be able to assist you throughout the process.

* For security concerns related to Microsoft Exchange versions 2007-2010, SSL247® already has a process in place to immediately provide advice. For alternative types of servers, please contact your account manager, who will be able to assist you though the process.

**The free domain name requested cannot already be in use (excluding transfer, renewal, and premium domain names). Extensions offered by SSL247® includes (dependent on country), .com, .org and .net.***Offer is valid for all Symantec, GlobalSign, GeoTrust, and Thawte branded SSL certificates, which are purchased from SSL247® with a minimum duration of three years.

Why SSL certificates will no longer secure internal domains, internal IPs, or server names.

One reason for the deprecation is the launch of hundreds of new gTLDs, which increased the risk of name collision between internal and public domains. However the CA/Browser forum’s internal domain deprecation guide claims the decision was primarily motivated by the potential security issues caused by internal domain SSL certificates:

“Because non‐unique names cannot be meaningfully validated in the context of the public Internet, and because of the potential for malicious misuse of such certificates, the CA/Browser Forum has decided to cease issuing them after a grace period to allow affected users to transition away from them.”

Keeping it short, the decision to deprecate the issuance of SSL certificates for internal needs was made to combat MITM (Man in the Middle) attacks inside private networks. Internal domain names / IPs and server names cannot be vetted during the issuance process, and therefore should no longer be used. Unfortunately a major underlying issue remained: what should you do if your network infrastructure relies on local domain names/ IPs and servers?

If you have any questions, feel free to contact one of our accredited experts to find out more.

    0204 519 2097 (London Office)

Share this:

Posted on Tuesday 22 September 2015 by Méline Keoxay

Return to blog

Send us your comments

Your comment will not be published. If you have a question, do not forget to write your email address so that we can get back to you!