Our IT manager came across something interesting regarding "short-names", "On October 1, 2016, all publicly trusted SSL/TLS certificates with an internal name or reserved IP address will be revoked and/or blocked by browser software..." This is according to this link https://cabforum.org/internal-names/.
And, our company root CA certificate is using the servername shortname rather than a FQDN. We have an offline 2012 R2 root CA in workgroup and 2012 R2 subordinate issuing CA on the domain. There is no issues with regard to PKI, generating certs and impending expiration of root certificate. Our security officer and IT manager want to be proactive in getting ahead of this before it becomes an issue later on. All of our internet facing applications have a trusted certificate from trusted public CA, Digicert I believe. But we still require to maintain an internal one for internal applications.
So, how do I create another root CA certificate with a FQDN without disrupting the currently trusted one? I'm assuming once I create another one, I'll add that to trusted certs in Active Directory and add or generate new certs for all our internal apps.
Anyone know of instruction or guidance on how to get this accomplished? Thanks!!!