Want to protect your cyber security and still get fast solutions? Ask a secure question today.Go Premium

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 172
  • Last Modified:

No More local names in the certificate starting November 2015

We are setting up a windows 2012 r2 standard server and it only going to serve as the domain controller nothing else.  We named it XYZComapany.local.  The clients IT guy was told by a friend that we could not use .local as that was outlawed in 2015. I know that I cannot register a .local name if I want an SSL certificate however my domain controller should be ok shouldn't it?
0
lorayne912
Asked:
lorayne912
3 Solutions
 
Cliff GaliherCommented:
Yes, that's still allowed. This only impacts SSL certificates issued by a public CA. Internal CAs can continue to issue .local if needed.  

Admittedly, in new deployments, I prefer to use private-sub.domain.com (such as corp.mycompany.com) or similar just to provide flexibility with future technologies, but I am not renaming existing domains. So depending on how far along you are in your deployment and your risk aversion, either is an option.
0
 
Scott CSenior Systems EnginerCommented:
Yes, that will be fine.

The biggest impact was for Exchange users.  Technically you COULD still use .local, but no CA will create a Cert with one.
0
 
Adam BrownSr Solutions ArchitectCommented:
It wasn't "outlawed". You *can* still use .local for your internal AD Domain Name, but the recommendations from Microsoft are to avoid doing so, since .local is used by Apple's Bonjour service for network discovery and can cause issues with some versions of iOS/OSX when interacting with the SMB protocol. I wrote an article on the current Domain Naming recommendations: http://wp.me/pUCB5-2k

It is true that third party CAs will not issue certificates that include .local as a TLD for the Common name or any SANs. This would mean that you will get certificate errors when attempting to access HTTPS websites using Internal DNS FQDNs if that's what your AD Domain uses (unless, as was mentioned, you generate the certificate with your own CA, but that also means you have to deploy the Root CA cert to all devices that access those sites with that FQDN). But there are work-arounds for that. Specifically, you would need to get a 3rd party cert using your Public DNS FQDN for the web server, then have a secondary Forward Lookup Zone (or Pinpoint DNS entries) that defines the host name to an Internal IP address.

TL;DR - You can still use domain.local for your Active Directory domain. The practice isn't outlawed. It just isn't a recommended best practice any longer (and hasn't been for about 10 years).
0
 
lorayne912Author Commented:
Thanks everyone for your quick responses.
0

Featured Post

Who's Defending Your Organization from Threats?

Protecting against advanced threats requires an IT dream team – a well-oiled machine of people and solutions working together to defend your organization. Download our resource kit today to learn more about the tools you need to build you IT Dream Team!

Tackle projects and never again get stuck behind a technical roadblock.
Join Now