Retiring underscores in domain names

Industry set to retire underscores in domain names in public SSL certificates

With the passing of CA/Browser Forum Ballot SC12: Sunset of Underscores in DNSNames, the industry is retiring underscores ("_") in domain names in public SSL certificates. On January 14, 2019, your existing DigiCert certificates containing underscores will be revoked.

This ballot does not affect Private SSL certificates, nor does it affect other types of digital certificates such as Code Signing, Client, and so on.

Ballot SC12 sets some important dates for the retirement of underscores along with an important provision to help those with an urgent need to continue using underscores for a little bit longer. By May 1, 2019, industry standards mandate that Public SSL certificates must no longer secure domain names with underscores ("_").

Provision: 30-Day underscore certificates

For a limited time, CAs are allowed to issue public SSL certificates containing underscores ("_"). This provision is meant to provide you with some extra time to find a permanent migration solution.

However, there are specific guidelines in Ballot SC12 to make sure these certificates are compliant.

  • Maximum 30-day validity for public SSL certificates containing underscores in domain names.
  • All public SSL certificates containing underscores in domain names must be issued prior to April 1, 2019.
  • All public SSL certificates containing underscores in domain names must expire on or before April 31, 2019.
  • Underscores must not be in the base domain.
    "example_domain.com" is not allowed.
  • Underscores must not be in the left most domain label.
    "_example.domain.com" and "example_domain.example.com" are not allowed.

Wildcard Certificate Note: If the underscore is present in the left most domain label, use a wildcard certificate instead. A wildcard certificate for *.example.com secures example_domain.example.com and _example.domain.example.com.

For timelines and date specific information:

Underscore remidation options

The preferred solution is to rename the hostnames (FQDNs) that contain underscores and replace the certificates. For situations where renaming is not possible, you can use private certificates and, in some cases, you can use a wildcard certificate that secures the entire domain. For more information, see Underscores not allowed in FQDNs.

À propos de

DigiCert est le premier fournisseur mondial de certificats numériques à garantie élevée. Il propose des certificats SSL sûrs, des déploiements PKI managés et privés et des certificats pour appareils pour le marché émergent de l’Internet des objets. Depuis notre création il y a près de quinze ans, notre moteur a toujours été l’idée de trouver chaque jour de meilleures solutions. De meilleures solutions pour permettre les authentifications sur Internet. De meilleures solutions pour adapter nos services aux besoins de nos clients. Désormais, le talent et l’expérience de Symantec viennent suppléer notre héritage fait d’innovation pour trouver toujours de meilleures solutions qui permettent de faire avancer toute une industrie et de renforcer la confiance envers les identités et les interactions dans le numérique.

©2019 DigiCert, Inc. Tous droits réservés. DigiCert, et son logo sont des marques déposées de DigiCert, Inc. Symantec et Norton, ainsi que leurs logos respectifs, sont des marques déposées utilisées sous licence de Symantec Corporation. Les autres noms sont potentiellement des marques déposées de leurs propriétaires respectifs.