Deutscher Provider
Zertifikate mit “.local” werden noch ausgestellt. Ab November 2015 werden keine Zertifikate mehr mit “.local” ausgestellt und ab Oktober 2016 werden Zertifikate mit internen Adressen und privaten IPs (von Browsern) nicht mehr akzeptiert auch wenn die Zertifikate noch gültig sein sollten.
Amerikanischer Provider
As a result of this decision, on July 1, 2012, we no longer accept new requests, process rekeys or renewals, or allow any management of Subject Alternative Names for certificates that contain intranet names or reserved IP addresses, and are valid beyond November
“After November 1, 2015, Go Daddy will no longer provide SSL certificates without a fully-qualified domain name or IP address, such as ‘mail’, ‘intranet’, or 10.0.0.1.” and this link was included for more details:
The Internet security community is phasing out the use of intranet and reserved IP addresses as the Primary Domain Name or the Subject Alternative Name in SSL certificates.
This is an industry-wide decision, not one specific to our company.
An intranet name is any name that is not in the public Internet DNS (e.g.’server1′, ‘mail’, ‘www’, ‘server2.local’, etc.). A reserved IP address is any address designated by the Internet Assigned Numbers Authority (IANA) as being reserved.
To create a safer online environment, members of the Certificate Authorities Browser Forum (CA/Browser Forum) worked to define the guidelines and means of implementation of SSL Certificates. As a result of these meetings, effective on October 1, 2016, Certification Authorities (CAs) must revoke any SSL certificates that use intranet names or reserved IP Addresses.
1, 2015. If you have an existing certificate that contains an intranet name and/or a reserved IP address, you can continue to use that certificate until it expires or until October 1, 2016, whichever comes first.
The reason that is given for the change is that the internal server names are not unique and therefore easy to falsify. With common names like server01 or webmail, the end user is never sure if it is actually dealing with the right party or with a malicious.
The changing legislation for SSL Certificates shall start on 1 November 2015. This means, from that date, the invalid Fully-Qualified Domain Names (hereafter called FQDN) will no longer be accepted at the standard of the CA/Browser Forum and after that date such certificates may no longer be issued. All certificates issued after 1 November 2015 and meet this qualification will be revoked upon discovery.
Users who are requesting a certificate on an invalid FQDN with an expiration date after 1 November 2015 should remember that their certificates will be revoked after 1 November 2015. After this date, no SAN SSL Certificate with a reserved IP address or internal server name will be issued either.