We are seeing some issues in renewing SSL Cert’s for a 3 year period because of some changes that will come into effect as of October 1, 2016. See the excerpt from one of our suppliers below:

Using Intranet and Reserved IP Addresses as the Primary Domain or Subject Alternative Name in SSLs

The Internet security community is phasing out the use of intranet and reserved IP addresses as the Primary Domain Name or the Subject Alternative Name in SSL certificates.

This is an industry-wide decision, not one specific to our company.

An intranet name is any name that is not in the public Internet DNS (e.g.'server1', 'mail', 'www', 'server2.local', etc.). A reserved IP address is any address designated by the Internet Assigned Numbers Authority (IANA) as being reserved.

To create a safer online environment, members of the Certificate Authorities Browser Forum (CA/Browser Forum) worked to define the guidelines and means of implementation of SSL Certificates. As a result of these meetings, effective on October 1, 2016, Certification Authorities (CAs) must revoke any SSL certificates that use intranet names or reserved IP Addresses.

As a result of this decision, on July 1, 2012, we no longer accept new requests, process rekeys or renewals, or allow any management of Subject Alternative Names for certificates that contain intranet names or reserved IP addresses, and are valid beyond November 1, 2015. If you have an existing certificate that contains an intranet name and/or a reserved IP address, you can continue to use that certificate until it expires or until October 1, 2016, whichever comes first.

To read CA/Browser Forum guidelines, go here.

For more information on which IPv4 addresses are reserved, go here. Some addresses are mentioned only in the footnotes. We do not support any certificates using IPv6.