News

The CA / B Forum has baned the use of underscores in dNSName entries.

The CA B Forum has baned the use of underscores in dNSName entries

The CA / B Forum, the regulatory body in the SSL industry, has banned the use of underscores (“_”) in any dNSName entries. The corresponding proposal (Ballot SC12) was accepted and supported by a majority of votes.

A similar ballot was had already been considered in 2017 but was rejected, despite the fact that the practice of using the underscore characters in SAN fields of dNSName type contradicts the requirements of RFC 5280.

The current proposal includes the assignment of a short transition period, during which the certificate holder can either change the domain name (FQDN) or deploy a wildcard certificate.

Details of the ballot implementation

According to the new rules, until 1 April 2019 the process of issuing certificates containing underscores (“_”) in domain labels in dNSName entries is allowed only if the following requirements are met:

  • The underscore characters should not be in the left-most position in the domain label;
  • The certificate is issued only for a period not exceeding 30 days;
  • Underscores can be used, but it’s best to change them to hyphens to get a trusted domain label.

All certificates containing an underscore in any dNSName entries and having a validity of more than 30 days must be revoked before 15 January 2019.

Starting on 30 April 2019, underscores (“_”) must not appear in the dNSName entries.

Subscribe to our newsletter to keep abreast of the latest developments in the field of SSL and online security.  


Are you ready to try?


Yes! Let's do it for free!

Have any questions?
Call us now +31 20 7640722