The CA/Browser Forum recently published Baseline Requirements for CAs
issuing SSL. Major software vendors have announced that they will
integrate the standard into their distribution programmes for all
trusted CA roots.
Section 9.2.1 of the Baseline Requirements deprecates the use of “non-unique names” in publicly-trusted SSL. There are growing concerns that this practice may create vulnerabilities which allow attackers to perform "man in the middle" attacks and eavesdrop on secure connections.
As a result, trusted CAs must phase out the use of internal server names and reserved IP addresses in the Subject commonName field or SubjectAlternativeName extension of trusted SSL according to the following schedule:
To limit their risk, we recommend that customers begin using Fully
Qualified Domain Names to access internal resources and stop using
certificates containing internal server names and private IP addresses
as soon as possible.
QuoVadis will provide transition information for affected users of Trust/Link Enterprise.
Fully-Qualified Domain Name: A registered Domain Name that includes the labels of all superior nodes in the Internet Domain Name System (DNS). For example: example.quovadisglobal.com. NOTE: this means you must use a registered domain name but does not mean that domain must be reachable from the public Internet.
Internal Server Name: A Server Name (which may or may not include an unregistered Domain Name) that is not resolvable using the public DNS. For example: mail, exchange, exch01, example.local, or localhost.
Reserved IP Address: An IPv4 or IPv6 address that the IANA has marked as reserved:
QuoVadis Deprecated Certificate Guidance for internal hostnames and private IP addresses