In accordance with industry standards, DigiCert no longer issues public certificates for FQDNs that contain underscores ( _ ).

As of October 1, 2018, DigiCert no longer issues public certificates for domains and subdomains that contain underscores ( _ ). This applies to underscores included anywhere in any FQDNs (fully qualified domain names).

Use of underscores in FQDNs

For publicly trusted certificates, we can no longer allow use of underscores ( _ ) in:

  • Subject Common Name

  • Subject Alternative Name (SAN)

We can only issue certificates for domains and subdomains using:

  • Lowercase letters a–z

  • Uppercase letters A–Z

  • Digits 0–9

  • Special characters: period (.) and hyphen (‐)

Solutions

Rename hostnames (FQDNs)

The preferred solution is to rename hostnames (FQDNs) that contain underscores and replace their certificates. This solution will work no matter where the underscore is in the domain name.

Note: The use of underscores in hostnames violates RFC 1123's valid defined characters for a domain name. However, in practice, the global DNS system allows underscores to be used in hostnames.

For these use cases, renaming the hostnames may be your only solution:

  • Company policy prevents the use of wildcard certificates.

  • Underscores are located in multiple labels (multi_level.underscore_subdomain.example.com) and public trust is required.

Unable to rename FQDNs with underscores ( _ )

If you are unable to rename FQDNs that contain underscores, use one of these options to continue getting certificates for those domains.

  1. Use wildcard certificates

    If public trust is a must and the underscores are only present in the left-most subdomain (for example, sub_domain.example.com or third_level.subdomain.example.com), you may use a public wildcard certificate to secure the entire domain (for example, *.example.com or *.subdomain.example.com).

  2. Use private certificates

    If public trust is not required and the underscores are present in any other portion of the domain (for example, third_level.sub_domain.example.com or fourth_level.third_level.sub_domain.example.com), you may use private certificates, issued by a Private CA, to secure these domains.

    Note: Private certificates are not publicly trusted and will not work on the public internet or in devices that do not trust the private CA root certificate that issued them.

Contact us

If you have questions or need help, please contact support or your account manager.