Geek Answers Handbook

SSL certificate for internal and external use

Suppose I have a web application accessed externally through http://webapp.mydomain.com and internally through http: //webapp.intranetservername/

Do I need two SSL certificates? Or can I use the same SSL certificate?

+7
security ssl web
source share
3 answers

You will need two SSL certificates, and one for the intranet server must be signed on its own, because certificate owners are prohibited from signing certificates for internal domains (since there is no way to verify ownership of such a domain).

You can usually create a single SSL certificate that is valid for multiple domains (using the subject alternative name extension). However, again, the CA cannot sign it if it cannot verify all the domains that it claims are valid.

+5
source share

Basically, you can have one certificate with two alternative subject names for webapp.mydomain.com and webapp.intranetservername . In practice, this is unrealistic, since no CA will issue something .intranetservername unless it is also an appropriate public domain name.

Generally speaking, if .intranetservername not a registered domain, no CA will issue a certificate for it, so you still have to use your own CA.

  • If you can expect both types of clients (internally and externally) to trust your own CA, you can of course issue a certificate with two SANs with this CA.

  • If you expect different types of users (trusting only the default packages for certificate authorities or trusting your CA), you will have to use two certificates, each of which is issued. You may also need to bind them to separate IP addresses (but having an additional internal IP address on the local network is not necessarily a problem).

More fundamentally, is there a good reason why you call the same web application running on the same computer with two different names, regardless of whether you use it internally or externally? Why don't people on the intranet talk to webapp.mydomain.com ?

I suppose this may be an attempt to somehow increase security, but if it is the same machine, it will be on both networks in any case, so I'm not sure if it improves security by sharing this name.

If you really need separate names, you can use them both in your external domain (for example, webapp.mydomain.com and intranet.mydomain.com ), and have a certificate issued by a well-known CA for both (I'm still not sure about the advantage separation of names on the same machine, though). Indeed, certificate verification is based only on a name, and you can easily configure DNS servers on intranet.mydomain.com for a private IP address (for example, 10.1.1.1 ). People from the outside will not be able to access this address, simply because it will not be routed, but it will work fine inside your intranet (if machines on the intranet can perform DNS queries, some environments block this).

+5
source share

You will need two, since SSL certification works on a domain name, and you have two domain names.

You can use the same on both, but in most browsers there would be an error message warning users that the certificate is not authentic.

You can get around the cost of having to register as Verisign by self-certifying the intranet site, and by distributing the self-certificate to all employee browsers.

Depending on the size of the enterprise and the number of users who will be accessing "webapp.intranetservername", it may or may not be cheaper and easier than simply restoring both domains using Verisign.

+2
source share

More articles:


All Articles