Internal SSL Certificates: Can You Buy Them?

TL;DR

Yes, you can buy signing-valid certificates for internal use (e.g., for your company’s intranet or development environments). However, standard publicly trusted certificates aren’t usually the best choice. Instead, consider using a private Certificate Authority (CA) or certificates specifically designed for internal infrastructure.

Understanding SSL Certificates

SSL/TLS certificates encrypt communication between a server and a client (like a web browser). They also verify the identity of the server. There are different types:

• Publicly Trusted Certificates: Issued by well-known CAs (e.g., Let’s Encrypt, DigiCert, Sectigo). Browsers automatically trust these certificates.
• Private CA Certificates: Issued by your own internal CA or a trusted third party specifically for your organisation. These require you to install the root certificate on each client device/browser.

Why Publicly Trusted Certificates Aren’t Ideal for Internal Use

1. Cost: They can be expensive, and you don’t need the public trust validation for internal systems.
2. Validation Requirements: Obtaining a publicly trusted certificate requires proving control of the domain name, which might not be relevant or possible for internal-only domains (e.g., internal.example.com).
3. Revocation Issues: Revoking a compromised public certificate can take time to propagate across all browsers and systems.

Options for Internal SSL Certificates

1. Private Certificate Authority (CA):
   • Setup: You create your own CA using tools like OpenSSL, EasyRSA, or commercial solutions. This is the most flexible but requires significant technical expertise to manage securely.
   • Issuance: Once set up, you can issue certificates signed by your internal CA for any server within your organisation.
   • Trust Installation: Crucially, you must install the root certificate of your private CA on all client devices (computers, phones, servers) that will connect to services using these certificates. This is usually done via Group Policy (Windows), configuration profiles (macOS/iOS), or manual installation.
2. Internal-Use Certificates from Public CAs:
   • Some public CAs offer specific certificate types designed for internal use, often at a lower cost than standard certificates. These still require validation but are less strict.
   • Check the CA’s terms of service to ensure they permit internal usage.
3. Self-Signed Certificates:
   • Creation: You can create a self-signed certificate using OpenSSL:

     openssl req -x509 -newkey rsa:2048 -keyout key.pem -out cert.pem -days 365

   • Warning: Browsers will display a warning because the certificate isn’t trusted by a recognised CA. This is acceptable for development/testing but not recommended for production environments where users expect secure connections without warnings.

Installing a Private CA Root Certificate (Example – Windows Group Policy)

1. Import the Root Certificate: Add your private CA root certificate to the Trusted Root Certification Authorities store on a domain controller.
2. Create a GPO: Create a new Group Policy Object (GPO).
3. Configure the GPO: In the GPO editor, navigate to Computer Configuration > Policies > Windows Settings > Public Key Policies > Trusted Root Certification Authorities.
4. Add Certificate: Add your private CA root certificate to this store.
5. Link the GPO: Link the GPO to an OU containing the computers you want to trust the certificates from your internal CA.

Key Considerations

• Security: Protect your private CA key! If compromised, attackers could issue fraudulent certificates for your internal systems. Use Hardware Security Modules (HSMs) if possible.
• Renewal: Certificates expire. Implement a process to renew them before they become invalid.
• Client Trust: Ensure all clients have the correct root certificate installed and updated.