CA/B Forum Ballot SC12: Sunset of Underscores in dNSNames (approved November, 2018) outlined a process for phasing out the use of underscore characters (
_) in domain names covered by digital certificates. Ballot SC12’s rule changes follow RFC 1035, which specifies the characters which may be used in DNS domain names:
The labels must follow the rules for ARPANET host names. They must start with a letter, end with a letter or digit, and have as interior characters only letters, digits, and hyphen.
However, despite the fact that RFC 1035 does not permit underscores in registered domain names, they have been widely used in subdomains (e.g.
sub_domain.example.com). In the past, publicly trusted certificate authorities (CAs), such as SSL.com, could issue certificates covering subdomains with underscores. Ballot SC12 included a three-stage process for the sunsetting of underscores in domain names:
Prior to April 1, 2019, certificates containing underscore characters (“_”) in domain labels in dNSName entries MAY be issued as follows:
- dNSName entries MAY include underscore characters such that replacing all underscore characters with hyphen characters (“-“) would result in a valid domain label, and;
- Underscore characters MUST NOT be placed in the left most domain label, and;
- Such certificates MUST NOT be valid for longer than 30 days.
All certificates containing an underscore character in any dNSName entry and having a validity period of more than 30 days MUST be revoked prior to January 15, 2019.
After April 30, 2019, underscore characters (“_”) MUST NOT be present in dNSName entries.
Due to these stipulations, SSL.com may not issue SSL/TLS certificates for domain names with underscore characters. For our customers with subdomains containing underscores but requiring an SSL/TLS certificate, we suggest the following solutions:
- (Recommended) If possible, change the name of the subdomain so that it no longer contains underscores (e.g. change
- If only the leftmost element of the domain name contains underscore characters, you can use a wildcard certificate. For example, a certificate for
*.example.comcan be used to protect
sub_domain.example.com, but not
As always, if you have any questions, please contact us by email at Support@SSL.com, by phone at 1-877-SSL-Secure, or by using the chat link at the bottom right of this page.