phasing out internal server names
One of these requirements is to rapidly phase out internal server names in SSL-certificates from all publicly recognized certificate issuers.
The reason for this is to protect against Ma-in-The-Middle (MTM) attacks where it's possible to pretend being an internal server using a publicly recognized SSL-certificate.
FairSSLs recommendation for our customers
- When installing new systems, configure them without the use of internal server names if at all possible, fx. through split DNS
- Alternatively use an internal CA in combination with a public SSL-certificate. (we can assist/inform about internal PKI solutions)
Which server names are internal
Following is some examples of internal server names. If a certificate contains one of these it will no longer be accepted:
Full details about this and other requirements can be read in the requirements document CA/Browser Forum - Baseline Requirements - v.1.0