Entrust Datacard

Entrust Certificate Services Support Knowledge Base

Last Modified: 2017-06-29 13:33:22.0

Can I issue a certificate using an IP Address or Internal Server Name?

Article Number: 70820

User-added image

Yes, however, only for Organizational Validated (OV) certificate types, and only for IP Addresses.

Extended Validation (EV) certificates may not be issued with the use of IP Addresses or Internal Server Names.

(Learn more below: Background - Ballot 144 - Extended Validation - How can I obtain a certificate for my Internal Server Name?)

Background

Subject Alternative Names (SANs) may be added to any non-standard SSL/TLS certificate. These are domain names that can be secured in addition to the primary domain name being secured by that certificate.

The regulations around the issuance of SSL/TLS certificates oversee the use of SANs. The Certificate Authority/Browser (CA/B) Forum (https://cabforum.org/) is a voluntary group of certification authorities (CAs), vendors of Internet browser software, and suppliers of other applications that use X.509 v.3 digital certificates for SSL/TLS and code signing and determine Baseline Requirements that promote secure use of these certificates.

Ballot 144

Effective May 1, 2015. 
The CA/B Forum enacted in Ballot 144, section 9.2.1 Subject Alternative Name Extension:

Each entry MUST be either a dNSName containing the Fully-Qualified Domain Name or an IPAddress containing the IP address of a server. The CA MUST confirm that the Applicant controls the Fully-Qualified Domain Name or IP address or has been granted the right to use it by the Domain Name Registrant or IP address assignee, as appropriate.?

This means that certificates can be issued for IP Addresses, however, not for Internal Server Names.

Note that the reason for this is that Organizational Validated (OV) certificates (which are the first level of digital certificate to support SANs) display an authenticated identity. IP Addresses are unique, whereas Internal Server Names may be used multiple times by multiple organizations (e.g. "mail.internal").  Thus, Internal Server Names cannot be authenticated to single identities and therefore cannot be validated at the proper level of authentication standards.

This requirement was fully implemented in Entrust Certificate Services as of October 23, 2016, although Entrust Datacard proactively adhered to this standard before this as well as the effective date of the requirement.

Extended Validation

Extended Validation (EV) SSL/TLS certificates provide the highest level of browser authentication and security, and thus undergo the most rigorous verification checks of all digital certificate types. The regulations surrounding the issuance of EV do not authorize their use to protect IP Addresses or Internal Server Names.

As noted previously, however, IP Addresses may be secured with OV SSL/TLS certificates.

How can I obtain a certificate for my Internal Server Name?

You must create a self-signed certificate, or associate the Internal Server Name to a publicly-facing domain name that is owned by and registered to your organization and obtain a certificate using that domain name. Or you may request a certificate for the Internal Server Name from a Certificate Authority using a IP Address for that server.

If you have any questions or concerns please contact the Entrust Certificate Services Support department for further assistance: 

Hours of Operation:
Sunday 8:00 PM ET to Friday 8:00 PM ET 
North America (toll free): 1-866-267-9297 
Outside North America: 1-613-270-2680 (or see the list below) 
NOTE: It is very important that international callers dial the UITF format exactly as indicated. Do not dial an extra "1" before the "800" or your call will not be accepted as an UITF toll free call.

CountryNumber
Australia0011 - 800-3687-7863
1-800-767-513
Austria00 - 800-3687-7863
Belgium00 - 800-3687-7863
Denmark00 - 800-3687-7863
Finland990 - 800-3687-7863 (Telecom Finland)
00 - 800-3687-7863 (Finnet)
France00 - 800-3687-7863
Germany00 - 800-3687-7863
Hong Kong001 - 800-3687-7863 (Voice)
002 - 800-3687-7863 (Fax)
Ireland00 - 800-3687-7863
Israel014 - 800-3687-7863
Italy00 - 800-3687-7863
Japan001 - 800-3687-7863 (KDD)
004 - 800-3687-7863 (ITJ)
0061 - 800-3687-7863 (IDC)
Korea001 - 800-3687-7863 (Korea Telecom)
002 - 800-3687-7863 (Dacom)
Malaysia00 - 800-3687-7863
Netherlands00 - 800-3687-7863
New Zealand00 - 800-3687-7863
0800-4413101
Norway00 - 800-3687-7863
Singapore001 - 800-3687-7863
Spain00 - 800-3687-7863
Sweden00 - 800-3687-7863 (Telia)
00 - 800-3687-7863 (Tele2)
Switzerland00 - 800-3687-7863
Taiwan00 - 800-3687-7863
United Kingdom00 - 800-3687-7863
0800 121 6078
+44 (0) 118 953 3088