SSL/TLS Certificates for internal server names, reserved IP addresses & domain names
IntranetSSL provides a cost effective solution to secure internal servers, applications, and IP addresses that do not require public trust yet want to benefit from SSL/TLS encryption. With IntranetSSL, enterprises receive the same high level of security and certificate features of publicly trusted SSL Certificates, but the certificates are issued using GlobalSign non-public CAs which allows for configurations not allowed in public certificates and lower prices. IntranetSSL is available directly via GlobalSign's Certificate Management portal.
Note: You can use our standard line of publicly trusted certificates on internal servers. IntranetSSL is for applications that either don’t need or can’t use public trust because they need certificates that don’t comply with industry requirements (more on this below).
Since 2015, the CA/Browser Forum prohibits the use of internal server names and reserved IP addresses in publicly trusted SSL Certificates. This means if you normally receive SSL Certificates from a public CA (such as GlobalSign), you aren't able to use their certificates for internal server names. IntranetSSL from GlobalSign allows enterprises to continue to issue SSL to internal server names and reserved IP addresses without the need to run your own CA or use self-signed certificates, because the certificates are issued using GlobalSign's non-public CAs.
Who needs IntranetSSL?
-
If you need certificates to include internal server names or reserved IP addresses (since these are prohibited from publicly trusted certificates per the CA/Browser Forum), but you don’t want to run your own in-house CA or use self-signed certificates
-
If you have servers within your internal networks that do not require public trust, IntranetSSL is a more cost-effective option to secure these
-
If you need to issue certificates with options that would otherwise not be permitted under public hierarchies, including the use of internal server names, SHA-1 and 3-5 year validity periods
-
If you do not want your internal server name(s) to be posted to public Certificate Transparency (CT) logs
-
If you want to manage all your certificates, both public and private, in one place, IntranetSSL allows you to utilize GlobalSign's WebTrust-certified infrastructure and management tools to discover, track, report, and manage all certificates across a dynamic server inventory
IntranetSSL Certificate Key Features
Secure RSA 2048 bit and ECC 256 bit hierarchies
Flexible signing algorithm choices of SHA-1 SHA-256, or ECDSA
Include up to 500 SANs, including internal server names, domain names, subdomains, wildcards and IP addresses
SAN licensing option allows up to a specified number of unique SANs across the certificate inventory, enabling you to provide trial or short term certificate without impacting the bottom line
Instant issuance from GlobalSign's certificate management platform
Support for longer validity periods than what is permitted under public roots (up to 5 years)
Reissue as many times as needed during the validity period
Optional AutoCSR - we'll create the keys and CSR for you
Unlimited server licensing - install across as many servers as you wish
How can IntranetSSL be used?
IntranetSSL supports the issuance of SSL Certificates with internal server names and reserved IP addresses in the CN and SAN values; furthermore, mix and match internal, FQDNs, sub-domains, wildcard, and Global IP addresses in one certificate using a single certificate under a non-public GlobalSign root.
-
Local Host Names (mysite.localhost)
-
Reserved IP Address (192.168.0.0)
-
Fully Qualified Domain Name (www.mysite.com)
-
Sub-Domains (mail.mysite.com)
-
Wildcard (*.mysite.com)
-
Global IP Address (128.255.0.1)
The IntranetSSL Roots
GlobalSign’s public roots are already embedded in every operating system, browser, device, etc. However, IntranetSSL Certificates are issued from separate, non-public roots – this is how they are able to contain otherwise prohibited features such as supporting internal server names, SHA-1 for legacy systems, validity periods of up to 5 years, and no requirement for publishing the certificates to public Certificate Transparency logs.
In order for IntranetSSL certificates to be trusted by browsers or server-to-server communications, the root(s) will need to be pushed out via GPO or related enterprise tools so clients will not receive warning messages. Once this has been done, clients will not notice any difference between sites using IntranetSSL or publicly trusted SSL certificates.
It is important to note that you can use publicly trusted certificates for internal resources, as long as you don’t need to support one of the scenarios described above (e.g., internal server names, longer validity periods, SHA-1 algorithm, etc.). Contact us if you need help deciding which type of certificate is best for your environment.
Comprehensive Certificate Management
IntranetSSL Certificates are issued directly from GlobalSign's Managed PKI platform, providing enterprises the same robust certificate management lifecycle features as publicly trusted SSL Certificates but issued using GlobalSign's non-public CAs. Manage your publicly trusted and privately trusted SSL Certificates all within one single platform.
Benefits of GlobalSign's Managed PKI platform:
-
Cloud-based certificate management platform reduces the effort, cost, and time associated
with managing multiple SSL Certificates. -
Support for multiple entities under one account and delegated user administrator offer complete, centralized control of certificate needs across your entire organization.
-
Flexible business terms, including pay as you go, account fund deposits, and certificate or SAN licensing models, eliminate the need to purchase and track tokens or "packs"
-
High capacity and highly available OCSP services
-
Local scanning and discovery tools to discover and track your internal servers that need IntranetSSL certificates
-
Fully automated issuance via our APIs
GlobalSign gives you all the tools, services, and SSL products to reduce risk, respond to threats and control SSL cost. Take control of your SSL management with GlobalSign today!
Next Steps Contact us today to start securing your internal server names!