• Do you need your own private Certificate Authority?

        Mar 29 2018, 10:28 PM

        by Elliot Samuels 3

        Do you have any intranet sites with a domain name like https://intranet.local? Or a mail server with an address like https://mail? These kind of internal-only domain names are very common but they pose a real problem.

        SSL certificates on an intranet

        Symantec and other Certification Authorities (CAs) and browser vendors, that make up the CA/Browser Forum have decided to stop issuing SSL certificates chained to a public root which cannot be resolved in the context of the public internet.

        This means that domain names need to be globally unique and not just unique on your network. So if you have a .local domain that you use internally, you will soon no longer be able to purchase a validated SSL certificate for this name.

        With the emergence of new gTLDs, such as .london, and the likelihood that many of the very common names used to identify server domains internally will be purchased and used by commercial organisations (names such as .red and .home have already been applied for and more will surely follow and unless you specifically own these gTLDs you will no longer be able to purchase a validated SSL certificate for them).

        Although this will improve security it creates challenges for organisations with servers that use these internal-only domain names or reserved IP addresses.

        Getting ready for the change

        Alternatives include switching to fully-qualified domain names, using self-signed certificates or setting up a private certification authority (CA) to authenticate internal domain names.

        For many companies, this last option – a private CA – is a smart way to get ready for the changeover as it requires the least change to existing systems and the lowest level of risk.

        The Symantec option

        Symantec recently announced its Private Certification Authority solution. It lets you avoid the risks and hidden costs of self-signed certificates and the switching costs of deploying fully-qualified internet domain names across your entire intranet.

        Private CA.png

        Using Symantec’s bulletproof infrastructure, it covers requirements ranging from single-domain intranet SSL certificates, wildcard certificates up to self-signed CAs. It provides a hosted private SSL certificate hierarchy with end-entity certificates specifically built to secure your internal communications.

        Using the Managed PKI for SSL console assists in simplifying SSL management by letting you manage public and private certificates in one control center.  This helps you avoid the risk of unexpected expiries and issue new certificates as required. So if you have internal servers that use deprecated domain names then you need to consider a solution sooner rather than later.

        • Products
        • website security solutions
        • Private CA
        • Certification Authority
        • Symantec SSL
        • DigiCert SSL TLS Certificates
        • SSL Certificates
        • Products and Solutions
      • Important changes to SSL certificates on intranets: what you need to know

        Mar 29 2018, 10:48 PM

        by Elliot Samuels 6

        If you use SSL certificates on intranet sites with internal server names, they may not work from 1 November 2015.

        For companies with complex infrastructures, the change may be challenging but now is the time to start getting ready. If you use SSL certificates on intranet sites with internal server names, they may not work from 1 November 2015.

        For companies with complex infrastructures, the change may be challenging but now is the time to start getting ready.

        Local vs. global address

        Imagine you have a server on your network. It may have an IP address that is resolvable on the internet, but it’s more likely to have an address that is only valid on the local network, such as It is also likely to have a domain name that is only resolvable on the local network, such as https://intranet.local or https://mail.

        Digital Lock1 1200x628.jpg

        Certification challenges

        Without unique domain names that can be resolved in the context of the public internet, it is impossible for a Certification Authority to issue a trustworthy certificate.

        After all, it would work for any server with that name and that creates a security risk. For this reason, the leading Certification Authorities, including Symantec, that make up the Certification Authority/Browser Forum (CA/B Forum) have decided to cease issuing certificates without a Fully Qualified Domain Name (FQDN).

        Reducing your own risk

        Eliminating this risk not only increases the trust in certificates but also reduces the risk of hackers obtaining certificates that validate a copycat internal address.

        Currently cyber criminals are using compromised certificates to impersonate internal servers by either hacking into the corporate network, or by intercepting an intranet access request on a work device using public Wi-Fi. This in turn puts confidential company data at a high risk of exposure.


        The CA/Browser Forum recommends the following possible alternatives:

        • Use a fully-qualified domain name certificate and DNS domain suffix search
        • Use an enterprise/private CA to issue and trust certificates for non‐unique names
        • Manually provision trust in self‐signed certificates
        • Use Internet Protocol Security (IPsec)

        But whichever route you choose, it’s important to make a plan as soon as possible so that you can continue to offer internal users secure, encrypted and authenticated websites and other services without interruption. If you are interested in a Symantec Private Certification Authority (CA) solution, please let us know or watch our webcast.

        To learn more about this and other changes to the Certification Authority/Browser Forum Baseline Requirements please view this webcast.

        • Products
        • website security solutions
        • SSL
        • Identity and Authentication Services
        • DigiCert SSL TLS Certificates
        • Products and Solutions
        • website security
        • intranet