Retiring underscores in domain names

Industry set to retire underscores in domain names in public SSL certificates

With the passing of CA/Browser Forum Ballot SC12: Sunset of Underscores in DNSNames, the industry is retiring underscores ("_") in domain names in public SSL certificates. On January 14, 2019, your existing DigiCert certificates containing underscores will be revoked.

This ballot does not affect Private SSL certificates, nor does it affect other types of digital certificates such as Code Signing, Client, and so on.

Ballot SC12 sets some important dates for the retirement of underscores along with an important provision to help those with an urgent need to continue using underscores for a little bit longer. By May 1, 2019, industry standards mandate that Public SSL certificates must no longer secure domain names with underscores ("_").

Provision: 30-Day underscore certificates

For a limited time, CAs are allowed to issue public SSL certificates containing underscores ("_"). This provision is meant to provide you with some extra time to find a permanent migration solution.

However, there are specific guidelines in Ballot SC12 to make sure these certificates are compliant.

  • Maximum 30-day validity for public SSL certificates containing underscores in domain names.
  • All public SSL certificates containing underscores in domain names must be issued prior to April 1, 2019.
  • All public SSL certificates containing underscores in domain names must expire on or before April 31, 2019.
  • Underscores must not be in the base domain.
    "example_domain.com" is not allowed.
  • Underscores must not be in the left most domain label.
    "_example.domain.com" and "example_domain.example.com" are not allowed.

Wildcard Certificate Note: If the underscore is present in the left most domain label, use a wildcard certificate instead. A wildcard certificate for *.example.com secures example_domain.example.com and _example.domain.example.com.

For timelines and date specific information:

Underscore remidation options

The preferred solution is to rename the hostnames (FQDNs) that contain underscores and replace the certificates. For situations where renaming is not possible, you can use private certificates and, in some cases, you can use a wildcard certificate that secures the entire domain. For more information, see Underscores not allowed in FQDNs.

Sobre

A DigiCert é a provedora premium do mundo de certificados digitais de garantia: fornecendo implantações confiáveis de SSL e PKI gerenciada e particular, e certificados de dispositivos para o mercado emergente IoT. Desde a nossa fundação há quase quinze anos, temos sido impulsionados pela ideia de encontrar uma forma melhor. Uma melhor forma para fornecer autenticação na Internet. Uma melhor forma para personalizar soluções de acordo com as necessidades do nosso cliente. Agora, agregamos a experiência e talento da Symantec ao nosso legado de inovação para encontrarmos uma melhor forma de liderar a indústria e construirmos maior confiança em identidade e interações digitais.

©2019 DigiCert, Inc. Todos os direitos reservados. A DigiCert e seu logo são marcas registradas da DigiCert, Inc. Symantec e Norton e seus logos são marcas registradas usadas sob licença da Symantec Corporation. Outros nomes podem ser marcas registradas de seus respectivos donos.