CA/Browser Forum Changes Will Break Many Existing Networks

bsod1

We have a new winner of the “what were they thinking award” the CA/Browser Forum have won this one by changing the way that certificates are issued. Normally such changes are not intrusive and are intended to ensure better security for users. However, in this case the changes published in July of this year (and set to take effect in November 2015) will probably break a significant number of corporate networks simply because the changes are in direct opposition to the best practices that Microsoft and many others have been recommending for years. This is the practice of separating internal and external domain names for security and identification. The CA/Browser Forum announced back in July that they are going to put an end to this practice by November 2015.

Now the CA/Browser Forum has decided to throw all of that out the window (no pun intended) and is refusing to issue certificates for internal server names. In their new baseline standards they define Internal Server Names as: “A Server Name (which may or may not include an Unregistered Domain Name) that is not resolvable using the public DNS.” So this means no more machine names and not more non registered domain names. This will impact an extremely large number of networks due to the current practices that we discussed above. Now the interesting thing is that the CA/Browser Forum is claiming that this is due to security. They feel that since internal server naming conventions are often similar (there are a ton of servers named Server01 etc.) and the common use of .local users could be fooled into connecting to the wrong server. The flaw in that line of thinking is that these servers are ALL on private networks with their own internal DNS systems. If I look for server01.domain.local I will not resolve that to the public network. The internal DNS system will route me to the private IP that is associated with that server. If internal DNS systems are compromised that is a completely different matter and one that has nothing to do with SSL certificates.

The CA/Browser Forum goes on to state:
“As of the Effective Date of these Requirements, prior to the issuance of a Certificate with a subjectAlternativeName extension or Subject commonName field containing a Reserved IP Address or Internal Server Name, the CA SHALL notify the Applicant that the use of such Certificates has been deprecated by the CA / Browser Forum and that the practice will be eliminated by October 2016. Also as of the Effective Date, the CA SHALL NOT issue a certificate with an Expiry Date later than 1 November 2015 with a subjectAlternativeName extension or Subject commonName field containing a Reserved IP Address or Internal Server Name. Effective 1 October 2016, CAs SHALL revoke all unexpired Certificates whose subjectAlternativeName extension or Subject commonName field contains a Reserved IP Address or Internal Server Name.”

The practical upshot of this is that the CA/Browser Forum wants you to use publicly resolvable domain names for all certificates issued by them. There are probably a large number of systems administrators that are looking forward to many long nights as they work to change their internal systems. Changing the domain name of an active directory domain is not an easy task (it is often better to create a new forest and domain then migrate everything over) and it becomes more complicated if you have Exchange, Lync or other internal services that require Certificates for proper communication. It is true that you can install Certificate Authority Services (and you should anyway) on your domain to handle typical internal certificate issuance, but there are many applications that will not allow you to alter the trusted Root Authority listing for certificate publishers. This means that your internal domain certificates will be rejected because the domain CA is not on the list of trusted publishers.

So since we know that security is NOT the real issue behind this why did this group (which includes the majority of issuing authorities out there) make this decision? To be honest with you we do not know why they would chose to do this when they acknowledge that is the current practice to spate internal and external servers and domains.  One theory is that they are making this overly complicated to help push people to use cloud services. After all you can push email, communications and many other services into the cloud and not worry about internal certificates at all. This move is potentially less expensive in terms of time and money than completely reconfiguring a domain to support the new baseline requirements. If you let Microsoft, Google Amazon or others worry about this there is no need to buy certificates for your internal servers. You can simply install domain certificate services and issue them internally. Your domain CA will be trusted by systems on your internal network and you can use external services for everything else. This actually seems like it might be a fairly solid theory as some of the companies that are on the CA/Browser forum also have large cloud services including Microsoft, Symantec, GoDaddy, Google, and more.  However, we are not sure that we buy into this theory completely though. It is certain that the changes are not for security, but exactly why the changes are being made we simply do not know yet.

We have asked VeriSign (now Symantec) and GoDaddy about these changes and even after explaining how this move will not affect security they are still standing (somewhat uncomfortably) by the “improved security” line. In fact our conversation with VeriSign became very awkward when we brought up the fact that requiring internal servers to be publicly resolvable was exceptionally insecure the person we were talking to actually began to mumble and tried to back track before recovering and sticking with the original statements about security. In the end not matter what the reasons for this it is going to break a large number of networks unless they are completely reconfigured or they move into the cloud. You may also want to keep in mind that although this goes into effect in 2015 Certificate Authorities are no longer issuing or renewing any certificates that use these names now. We attempted to call and purchase a new one year certificate with a SAN that used a machine name and a .local domain name and it was denied due to these new policies. So while existing certificates will keep things going, if you need to renew between now and November 2015 you could find yourself out of luck and working to rapidly change the naming of your domain and all of its services.

You can read the new baseline requirements here
Let us know what you think about this in our Forum

No comments

Leave your comment

In reply to Some User