In November 2018, the CA Browser Forum voted to sunset the use of underscore characters in the domain names of SSL/TLS certificates. Ballot SC 12 called for a rather short timeline in which Subscribers had to sunset underscores. While Entrust Datacard agreed that the issue involving underscores needed to be resolved, we could not find any justification for this sense of urgency and therefore did not support it. The potential disruption to Subscribers' resources during the holiday season, which represents a blackout period for many IT organizations, was not warranted.

The use of underscore characters is a little confusing. Underscore characters are not permitted in domain names in accordance with RFC 1035, which only allows letters, digits and hyphens. As such, you cannot register a domain name with an underscore character. Unfortunately, certificate users have used underscore characters in subdomains and certification authorities (CAs) have supported these users for many years.

Ballot SC 12 requires the following for certificates with underscore characters:

  • On the effective date of the ballot, December 10, 2018, certificates can only be issued with 30 day validity period;
  • Existing certificates with a validity period of more than 30 days must be revoked by January 15, 2019;
  • Underscore certificates cannot be issued effective April 1, 2019; and
  • All underscore certificates will be revoked or expired by April 30, 2019.

Entrust Datacard voted against the underscore ballot with the following statement: "We do agree that the issue for use of underscores needs to be resolved as to whether they are allowed or not allowed. However, this ballot does not address whether underscores can be used. The ballot assumes that underscores are not required. The ballot does not address the threat, nor does it justify the urgency to remove underscores. The urgency of removing underscores by decreasing validity period and revocation, does not give Subscribers sufficient time to change how they deploy their certificates."

Nevertheless, to ensure compliance, Entrust Datacard has quickly implemented the ballot. Certificate subscribers were immediately advised of the changes due to ballot SC 12. All issuance of certificates with underscores for all validity periods was stopped on December 7, 2018. All certificates with underscores were revoked on or earlier than January 14, 2019.

We thank our customers for reacting to the change in a timely manner.

Update January 21, 2019: Entrust Datacard discovered nine additional SSL/TLS certificates with underscore characters following January 15, 2019 deadline. These certificates were revoked on January 18, 2019, and the SSL/TLS community was advised of the issue.

Bruce Morton

Bruce Morton

Bruce Morton has worked in the public key infrastructure and digital certificate industry for more than 15 years and has focused on SSL and other publicly trusted certificates since 2005. He has been an active member of the CA/Browser Forum that released guidelines for extended validation (EV) certificates and Baseline Requirements for SSL certificates. Bruce oversees the governance and compliance of Entrust’s publicly trusted PKI.