Rules for issuing SSL certificates have been tightened
From 1 July, stricter rules have come into effect for the issuance of SSL certificates. Internal domains only receive a certificate with a limited validity. There will also be telephone validation for certificates with company data.
The new guidelines, effective Sunday, were prepared by the CA/Browser Forum, an organization that represents all major certificate authorities. One of the stricter rules concerns the issuance of certificates with company data. From now on, such certificates will always have to be validated by telephone, while this was previously only required for so-called EV certificates with a green address bar.
According to the new validation procedure, the certificate authority or the supplier of the certificate will contact the applicant by telephone. For this, a general telephone number of the company is used, for example the number that is included in the Chamber of Commerce database. The customer must then indicate whether he agrees to the issue. This check is used to verify that the certificate is issued to the correct party and is intended to reduce the chance of misuse of SSL certificates.
As of July 1, certificate authorities will no longer issue SSL certificates for internal domains with an end date after November 1, 2015. Because Exchange servers in particular can experience problems if the certificates expire, it is still possible to request .local certificates for the time being. with an expiration date before November 1, 2015. Furthermore, SSL certificates with internal domain names that were issued before July 1, 2012 and are still valid on October 1, 2016, will be revoked by the certificate authorities.
The stricter rules for the issuance of SSL certificates were partly introduced under pressure from the browser builders Mozilla and Microsoft. They argue that .local certificates for internal domains are insecure because they do not describe a unique location and can therefore be used in multiple locations. An investigation by the EFF last year showed that there are tens of thousands of insecure SSL certificates in circulation that can be used in a local domain.