Internal names

"The certificate's Common Name or Subject Alternative Names contains an internal name."

Problem

Industry standards prohibit Certificate Authorities (CAs) from issuing certificates to internal names (see SSL Certificates for Internal Server Names). An internal name is an IP address or domain that is part of a private network (see RFC 2606). Validation can't be completed for internal names because they can't be externally verified.

Examples of internal names

  • Server names with any of these non-public domain suffixes:
    • .test
    • .example
    • .invalid
    • .localhost
    • .local
    • .internal
  • Anything without a public domain such as NetBIOS names or short hostnames, for example Web1, ExchCAS1, or Frodo
  • Any IPv4 address in the RFC 1918 range
  • Any IPv6 address in the RFC 4193 range

Additionally, non-unique internal names carry too much potential for malicious misuse. For example, a CA can issue a publicly-trusted certificate to a company for https://mail/. Because this name is not a unique name, anyone else can get a certificate for https://mail/.

Solution

If you are a server admin using internal names, you need to either reconfigure those servers to use a public name, or switch to a certificate issued by an internal Certificate Authority. All internal connections that require a publicly-trusted certificate must be done through names that are public and verifiable (it doesn't matter if those services are publicly accessible).

Depending on the applications in your environment, you may be able to reconfigure the application to not require internal names.