Industry set to retire underscores in domain names in public SSL certificates

With the passing of CA/Browser Forum Ballot SC12: Sunset of Underscores in DNSNames, the industry is retiring underscores ("_") in domain names in public SSL certificates. On January 14, 2019, your existing DigiCert certificates containing underscores will be revoked.

This ballot does not affect Private SSL certificates, nor does it affect other types of digital certificates such as Code Signing, Client, and so on.

Ballot SC12 sets some important dates for the retirement of underscores along with an important provision to help those with an urgent need to continue using underscores for a little bit longer. By May 1, 2019, industry standards mandate that Public SSL certificates must no longer secure domain names with underscores ("_").

Provision: 30-Day Underscore Certificates

For a limited time, CAs are allowed to issue public SSL certificates containing underscores ("_"). This provision is meant to provide you with some extra time to find a permanent migration solution.

However, there are specific guidelines in Ballot SC12 to make sure these certificates are compliant.

  • Maximum 30-day validity for public SSL certificates containing underscores in domain names.

  • All public SSL certificates containing underscores in domain names must be issued prior to April 1, 2019.

  • All public SSL certificates containing underscores in domain names must expire on or before April 31, 2019.

  • Underscores must not be in the base domain.
    "example_domain.com" is not allowed.

  • Underscores must not be in the left most domain label.
    "_example.domain.com" and "example_domain.example.com" are not allowed.

Wildcard Certificate Note: If the underscore is present in the left most domain label, use a wildcard certificate instead. A wildcard certificate for *.example.com secures example_domain.example.com and _example.domain.example.com.

For timelines and date specific information:

Underscore Remediation Options

The preferred solution is to rename the hostnames (FQDNs) that contain underscores and replace the certificates. For situations where renaming is not possible, you can use private certificates and, in some cases, you can use a wildcard certificate that secures the entire domain. For more information, see Underscores not allowed in FQDNs.