On 17.1.2014 19:14, James H. H. Lampert wrote:
At this point, if you haven't already done so, I would strongly suggest
getting your CA's tech support in on this.
+1
Reserved IP addresses and internal server names are not unique on the
Internet, so the certificates for them may be reused in different
places, which is a security problem. Imagine you get a certificate for
IP 192.168.0.1 or for internal server name "server.local", or worse,
wildcard certificate "*.local". That certificate may be reused on any
local network that uses that same IP address or server name, for e.g.
man-in-the-middle attack. The user of such network will hardly notice
that the certificate is from completely different network.
Therefore I believe that it is reasonable for any CA to treat internal
server names and reserved IP addresses as two faces of the same problem.
However, on second reading I noticed that Baseline Requirements say that
CAs shall sign the certificate with either or both of them, but that
certificate must expire before 1 November 2015. So check your CSR
expiration date and, as James recommends, your CA's policy on that matter.
-Ognjen
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org
