SSL and .local and the cert issue .. still investigating

Background read here:
http://www.networking4all.com/en/ssl+certificates/faq/change+san+issue/

In 2015 the SSL certs will no longer accept a .local in the SAN request.

We are seeing this inside the SBS cert wizard (please note this has been tested on SBS 2011 standard and SBS 2008)

Here’s the SBS certificate wizard output:
—–BEGIN NEW CERTIFICATE REQUEST—–
MIIELTCCAxUCAQAwbzELMAkGA1UEBhMCVVMxCzAJBgNVBAgMAkNBMQ8wDQYDVQQH
DAZGcmVzbm8xEDAOBgNVBAsMB1NCU1Rlc3QxEDAOBgNVBAoMB1NCU1Rlc3QxHjAc
BgNVBAMMFXJlbW90ZS5zbWFsbGJpemNvLmNvbTCCASIwDQYJKoZIhvcNAQEBBQAD
ggEPADCCAQoCggEBAMZWQMqbDNNMoXPLAXBzfMrXGQ5sIhhO19W9kHGj539vypEB
XzlOmB1Xk6LyuvtwWcsg3f5vRccSGNdFkND8gLDza0LnLasx4/W2Jm8qOcpPHhjF
mVJWxzVmydML6WZN1PF2vKhGXWvKcHi62JdESlTzuaayHJkZciF6rvlvcdIYGZI5
7fbjdwZjL1Q46ACOgHPKacyuOU99pETmvVj3By/7bQ1BfTrKQO+eAW6JlnO7N3PU
RWMNcGjzEXE7XpYB0vYJ+GrecJ26WCcQaZol0N/IugxJDp/lDtnXWhk274JNwb0I
57nVp2yhUcCKWqdsbGDpArAJC+55Yn/AB22M2DECAwEAAaCCAXcwGgYKKwYBBAGC
Nw0CAzEMFgo2LjEuNzYwMS4yMFIGCSsGAQQBgjcVFDFFMEMCAQUMG1NCU1RFU1RT
RVJWRVIuc2JzdGVzdC5sb2NhbAwQU0JTVEVTVFxTQlNBZG1pbgwPVHJ1c3RlZENl
cnQuZXhlMHQGCisGAQQBgjcNAgIxZjBkAgEBHlwATQBpAGMAcgBvAHMAbwBmAHQA
IABFAG4AaABhAG4AYwBlAGQAIABDAHIAeQBwAHQAbwBnAHIAYQBwAGgAaQBjACAA
UAByAG8AdgBpAGQAZQByACAAdgAxAC4AMAMBADCBjgYJKoZIhvcNAQkOMYGAMH4wTQYDVR0RBEYwRIIOc21hbGxiaXpjby5jb22CFXJlbW90ZS5zbWFsbGJpemNvLmNv
bYIbU0JTVEVTVFNFUlZFUi5zYnN0ZXN0LmxvY2FsMB0GA1UdDgQWBBTtp0JB90G4
A0lq9Mrl2nUNW9YCvjAOBgNVHQ8BAf8EBAMCBSAwDQYJKoZIhvcNAQEFBQADggEB
AKI8HlAue2tRq6jJ20YafFeg3Qmh830lTben9FGgHUxsxaZZB6ewNmcRVg+u+fLP
g0PR9g27+q3YbN8SwdIQjX9c3/HzY8jbspgDJds3N4MPx+5O72up5G/YZlypDk+F
SclurtL1Kwuq23Pmz5XWloGSTo8RhssV8A6dQ7jggQhNSY3MeZ1GnNNlIj/j3zqL
IlcIiKlNbL3ObQLZCfCz4k+Q4OiQZXwRPyZ4b9XGHWq3O/Gp1B72gLuaYqJ3i5n8
McY7z2esBGli9n5mjEZrdaPCvV7at2FSXWJvWd5ohOhXY1yF6ZZpZ7ByXfJ5twN4
mOM4axM1ATKvI0CXHkIa+08=
—–END NEW CERTIFICATE REQUEST—–

Now take that ssl cert request and check it out here: http://certlogik.com/decoder/

As you can see there’s a very obvious .local in the SAN section

Requested Extensions:
            X509v3 Subject Alternative Name:
                DNS:smallbizco.com, DNS:remote.smallbizco.com, DNS:SBSTESTSERVER.sbstest.local


If you select a single domain (simple cheap) cert from godaddy it will ignore this SAN info and build a cert that doesn’t have a .local in the name. 


I’m checking to see if this impacts when you choose a UCC cert.  Please note this does NOT impact Windows 2012 Essentials as that cert request is different.  It’s for sure on SBS 2008/SBS 2011 standard.


Again, still investigating the long term impact, hang loose.


And as a ps google on cheap godaddy or 5.99 godaddy and you can usually hit an offer for a 5.99 ssl cert offer http://www.godaddy.com/?isc=iap32m

Comments are closed.

Post Navigation