Secure Non-Registered Domains with New Private SSL Certificates

Bruce Morton

Are you an SSL certificate owner that has SSL certificates that protect non-registered domains?
What are non-registered domains?

Well, let’s first talk about registered domains. These are the domains where you register the domain root to an approved top-level domain (TLD) through an online registry such as example.com. Once you have example.com registered, then you can support Web servers such as www.example.com.

A non-registered domain name does not have a root domain that has been registered. Examples are:

  • Server host name only, such as bigserver
  • Server name with a non-approved TLD, such as bigserver.corp
  • Reserved IP address that cannot be registered

There are security issues with using a publicly trusted SSL certificate that has a non-registered domain. As such, the CA/Browser Forum has deprecated these certificates and requires CAs to do the following:

  • Stop issuing publicly trusted certificates with non-registered domain names by November 1, 2015
  • Revoke all publicly trusted certificates with non-registered domain names by October 1, 2016.

There are two recommended solutions:

  1. Switch your certificates to only use fully qualified domain names (FQDN)
  2. Or issue your certificates from a privately trusted CA.

Entrust can assist with both.

Planning to use only FQDNs could be a wise decision. The advantage is that root certificates, which the trust is based upon, are delivered by the operating system or the browser. You don’t need to worry about root certificate distribution.

The disadvantage is changing domain names could take an extended period of time as the names may even be hard coded into your application software.

Using privately trusted SSL certificates would enable you to continue to use the non-registered domain names you currently have, but you will need to also distribute the root certificate.
Entrust is launching Private SSL Certificates that will provide the following:

  • Non-registered domains – Domains will be registered for one customer, so no other customer will get the same domain. This will mitigate the security issues.
  • Registered domains – Certificates will also be allowed to include names that you have registered
  • Multiple domain names – Certificates will support one or more domain names
  • Unlimited server licensing and reissues – Certificates can be placed on more than one server and can be reissued as required
  • Same features as our FQDN certificates – Certificates will require the same key size, signing algorithm, validity period and CA protection as all of the other certificates Entrust issues

We’ll release additional information about Entrust Private SSL Certificates as we get closer to availability. If you’d like to know more right away, feel free to contact your Entrust Certificate Services sales representative directly or call 1-866-267-9297.

Bruce Morton
Bruce Morton
Director, Certificate Technology & Standards

Bruce Morton has worked in the public key infrastructure and digital certificate industry for more than 15 years and has focused on SSL and other publicly trusted certificates since 2005. He has been an active member of the CA/Browser Forum that released guidelines for extended validation (EV) certificates and Baseline Requirements for SSL certificates. Bruce oversees the governance and compliance of Entrust’s publicly trusted PKI.

0 Comments

Add to the Conversation