Does IT Management Suite support third-party SSL/TLS certificates for .local (internal) domains?
search cancel

Does IT Management Suite support third-party SSL/TLS certificates for .local (internal) domains?

book

Article ID: 176390

calendar_today

Updated On:

Products

IT Management Suite

Issue/Introduction

Does IT Management Suite support third-party SSL/TLS certificates for .local (internal) domains?

Environment

IT Management Suite (ITMS) All Versions 8.6.x & 8.7.x

Cause

"On November 22, 2011, the CA/Browser Forum adopted “Baseline Requirements for the Issuance and Management of Publicly‐Trusted Certificates, Version 1.0” (hereafter referred to as the “BR 1.0”) to take effect on July 1, 2012. As part of these requirements, Section 9.2.1 indicates:

"As of the Effective Date of these Requirements, prior to the issuance of a Certificate with a Subject Alternative Name (SAN) extension or Subject Common Name field containing a Reserved IP Address or Internal Server Name, the CA SHALL notify the Applicant that the use of such Certificates has been deprecated by the CA / Browser Forum and that the practice will be eliminated by October 2016.

"Also as of the Effective Date, the CA SHALL NOT issue a certificate with an Expiry Date later than 1 November 2015 with a SAN or Subject Common Name field containing a Reserved IP Address or Internal Server Name.

"Effective 1 October 2016, CAs SHALL revoke all unexpired Certificates whose SAN or Subject Common Name field contains a Reserved IP Address or Internal Server Name." 

Source: https://cabforum.org/wp-content/uploads/Guidance-Deprecated-Internal-Names.pdf

What is an Internal Name?

"An internal name is a domain or IP address that is part of a private network. Common examples of internal names are:

  • Any server name with a non-public domain name suffix. For example, www.companyname.local or server1.companyname.internal.
  • NetBIOS names or short hostnames, anything without a public domain. For example, Web1, ExchCAS1, or Frodo.
  • Any IPv4 address in the RFC 1918 range.
  • Any IPv6 address in the RFC 4193 range."

Source: https://www.digicert.com/internal-names.htm

Resolution

ITMS does not support third-party SSL/TLS Certificates for .local (internal) domains.

You should migrate to registered public domain names.

Workarounds

  • Use ITMS to create a self-signed certificate
  • Set up and run your own enterprise CA
Powered by Wolken Software