Posted The Transition from Non-FQDN Server Names on Blog
The CA/Browser Forum is an unincorporated association of separate organizations that creates the guidelines that apply to all SSL certificate and browser providers. Since the effected date of 1 July 2012 Symantec has been notifying customers in regards to certificates with a SAN or Common Name (CN) field that contains a Reserved IP Address or Internal Server Name since they are being phased out due to CA/Browser Forum standards.
This one particular standard has some customers in a bind when renewing or enrolling into a CA signed SSL certificate. Below is the Standard.
9.2.1Subject Alternative Name Extension
Certificate Field: extensions:subjectAltName
Contents: This extension MUST contain at least one entry. Each entry MUST be either a dNSName containing the Fully-Qualified Domain Name or an iPAddress containing the IP address of a server. The CA MUST confirm that the Applicant controls the Fully-Qualified Domain Name or IP address or has been granted the right to use it by the Domain Name Registrant or IP address assignee, as appropriate.
Wildcard FQDNs are permitted.
As of the Effective Date of these Requirements, prior to the issuance of a Certificate with a subjectAlternativeName extension or Subject commonName field containing a Reserved IP Address or Internal Name, the CA SHALL notify the Applicant that the use of such Certificates has been deprecated by the CA / Browser Forum and that the practice will be eliminated by October 2016. Also as of the Effective Date, the CA SHALL NOT issue a certificate with an Expiry Date later than 1 November 2015 with a subjectAlternativeName extension or Subject commonName field containing a Reserved IP Address or Internal Name. Effective 1 October 2016, CAs SHALL revoke all unexpired Certificates whose subjectAlternativeName extension or Subject commonName field contains a Reserved IP
Address or Internal Name.
(More information about the CA/B Forum Baseline Requirements can be found at cabforum.org)
This standard means SSL certificates can only be issued to Fully Qualified Domain Names (FQDN) and can no longer be issued to Non-Valid internal names.
In response to this change customers have to take two main course of action:
To help our customers avoid the dangers of a self-signed CA, Symantec is now offering the Private CA.
The Symantec Private CA ensures:
This is offered though the Managed PKI for SSL Account. Use the same console to managed external as well as internal certificates. Ask your account manager for more details! More detailed Information on the Symantec Private CA can be found at www.Symantec.com/private-ssl
Mar 07 2018, 9:10 AM
Posted Website Security Solutions - Authentication Services: Understanding The Authentication behind getting a SSL Certificate. on Blog
Within Authentication Services there are three types of SSL certificates. These SSL certificates each contain different features and authentication that are required in order to be issued. Understanding these differences can help you in knowing what you need to prepare for in order to get the certificate issued as fast as possible.
The Three Types Are:
Extended Validation (EV) SSL
A premium business class SSL security product fully authenticated, visually confirming the highest level of authentication available among SSL certificates. It gives your customers two highly visible ways to confirm that your web site is secure—the green address bar and the True Site Seal, while providing strong encryption to protect their confidential information.
Organization Validation (OV) SSL
A fully authenticated certificate that let’s your customers know that your site is trustworthy from a validated company and that you take their security seriously enough to get your SSL from a security company. For an affordable price, you can secure your Websites domain and display standard information regarding your organization on the certificate and with the True Site Seal - while providing strong encryption to protect their confidential information
Domain Validation (DV) SSL
It is the quickest way for you to get a certificate for your domain. It will not include any information about your company nor its location. With an automatic authentication and issuance process, it takes just minutes to get your certificate due to no Organization Validation. It is an inexpensive SSL that is fast and convenient.
Compare SSL Certificates:
What Authentication does in order to validate a certificate....
What exactly is required to get a DV level certificate?
This is as automated process in which an email will be sent out to a Whois lookup for the domain that the certificate was enrolled for. You will have the option to select admin@, administrator@, hostmaster@, postmaster@, webmaster@ for this confirmation e-mail. Once the e-mail is received it is just a matter of approving the order. That’s it your certificate is issued within minutes.
What exactly is required to get an OV level certificate?
The validation process typically takes 1-2 business days. During this time, the Authentication team must perform the following steps to validate your certificate order with independent, third-party sources:
What exactly is required to get an EV level certificate?
EV certificates have a more vigorous authentication process than OV level certificates. If all the information on the order is accurate and the information that Authentication requires is readily available, then an EV certificate can be issued within little time.
Authentication must be able to confirm all of the following organizational registration requirements:
Domain Authentication Requirements:
To qualify for an Extended Validation SSL Certificate, domain registration details must reflect the full Organization name as included in the Certificate Signing Request (CSR). Where domain registration does not reflect the organization name as identified in the certificate request, positive confirmation of the Organization's exclusive right to use the domain name is required from the registered domain administrator or via a Lawyer Opinion Letter.
Organization's Certificate Approver (Corporate Contact) Authentication Requirements:
To qualify for an Extended Validation SSL Certificate, the Certificate Approver identified in the certificate request must be employed by the requesting organization and have appropriate authority to obtain and delegate Extended Validation certificate responsibilities.
Authentication must be able to confirm all of the following about the Certificate Approver:
Order Verification Requirements:
Authentication must verify the Certificate Signing Request and all certificate details with the Certificate Approver identified in the certificate order. Authentication must contact the Certificate Approver using an independently-verified telephone number.
This telephone number is obtained through one of the following methods:
Additional Verification requirements:
If Authentication is unable to verify any of the required information on your certificate application, they may request you to provide a Professional opinion from a lawyer or accountant to verify the information.
When it comes time for your organization to get a certificate keep in mind the three different types EV, OV, DV, and what it takes to be authenticated to receive them. Already knowing the three different types and the validation procedures that goes behind them will make it a smoother ride for you to get a certificate for your organization.
Mar 07 2018, 9:10 AM
Posted Understanding how Symantecs Vulnerability Assessment Scan service works on Blog
The Vulnerability Assessment (VA) scan is a service that each week performs a scan searching for common entry points for the domain you enrolled in for with a purchase of certain SSL certificates.
If the scan finds any potential weakness within that domain that if breached could threaten your online security, an e-mail will be sent out informing the technical contact to pick up the results of the scan in a downloadable PDF report highlighting the most critical vulnerabilities if any are found.
The Vulnerability Assessment scan is a service that is available for following account types and products:
You may have lots of questions or may want to know more regarding the technicalities of the Vulnerability Assessment scan. Such as..
The majority of your questions can be answered by visiting the Authentication Services knowledge base article Vulnerability FAQ. Other related articles regarding its technicalities can also be found by visiting the knowledge base article Vulnerability Basics
Mar 07 2018, 9:10 AM