W3C home > Mailing lists > Public > public-webappsec@w3.org > February 2015

Server Certificates, Internal Names, and Browser support after October 2016

From: Jeffrey Walton <noloader@gmail.com>
Date: Sun, 1 Feb 2015 22:56:06 -0500
Message-ID: <CAH8yC8my4s5YKrhXU_oA2mPQsyt+vhOBuTR=nw8Py46iEs37OA@mail.gmail.com>
To: "public-webappsec@w3.org" <public-webappsec@w3.org>
According to the latest CA/B Baseline Requirements, section 9.2.1

    As of the Effective Date of these Requirements, prior to the issuance
    of a Certificate with a subjectAlternativeName extension or Subject
    commonName field containing a Reserved IP Address or Internal
    Name, the CA SHALL notify the Applicant that the use of such
    Certificates has been deprecated by the CA / Browser Forum and
    that the practice will be eliminated by October 2016.

An Internal Name is a name like localhost, localhost.localdomain, and
www.example.private (for my company's private, internal domain of

I understand the CAs will stop issuing them in November, 2015; and the
Browsers will deprecate them in October, 2016.

My question: if I run an internal PKI and certify an internal name,
will the browser reject the certificate after October 2016?
Received on Monday, 2 February 2015 03:56:33 UTC

This archive was generated by hypermail 2.4.0 : Friday, 17 January 2020 18:54:45 UTC