Video Screencast Help
Website Security Solutions

Important changes to SSL certificates on intranets: what you need to know

Created: 19 Dec 2013 • 1 comment
Elliot_Samuels's picture
+5 5 Votes
Login to vote

If you use SSL certificates on intranet sites with internal server names, they may not work from 1 November 2015.

For companies with complex infrastructures, the change may be challenging but now is the time to start getting ready.If you use SSL certificates on intranet sites with internal server names, they may not work from 1 November 2015.

For companies with complex infrastructures, the change may be challenging but now is the time to start getting ready.

Local vs. global address

Imagine you have a server on your network. It may have an IP address that is resolvable on the internet, but it’s more likely to have an address that is only valid on the local network, such as 192.168.1.1. It is also likely to have a domain name that is only resolvable on the local network, such as https://intranet.local or https://mail.

Certification challenges

Without unique domain names that can be resolved in the context of the public internet, it is impossible for a Certification Authority to issue a trustworthy certificate.

After all, it would work for any server with that name and that creates a security risk. For this reason, the leading Certification Authorities, including Symantec, that make up the Certification Authority/Browser Forum (CA/B Forum) have decided to cease issuing certificates without a Fully Qualified Domain Name (FQDN).

Reducing your own risk

Eliminating this risk not only increases the trust in certificates but also reduces the risk of hackers obtaining certificates that validate a copycat internal address.

Currently cyber criminals are using compromised certificates to impersonate internal servers by either hacking into the corporate network, or by intercepting an intranet access request on a work device using public Wi-Fi. This in turn puts confidential company data at a high risk of exposure.

Alternatives

The CA/Browser Forum recommends the following possible alternatives:

·         Use a fully-qualified domain name certificate and DNS domain suffix search

·         Use an enterprise/private CA to issue and trust certificates for non‐unique names  

·         Manually provision trust in self‐signed certificates

·         Use Internet Protocol Security (IPsec)

But whichever route you choose, it’s important to make a plan as soon as possible so that you can continue to offer internal users secure, encrypted and authenticated websites and other services without interruption. If you are interested in a Symantec Private Certification Authority (CA) solution please let us know.

Comments 1 CommentJump to latest comment