Private SSL 102 - The Ultimate Guide to Getting an SSL Certificate for an IP Address

How to secure internal servers, applications, and devices that run on IP-based access.

1. The Challenge: Why Public CAs Cannot Issue SSL Certificates for IP Addresses

Many internal systems are reachable only through private IP addresses, such as:

• 192.168.x.x
• 10.x.x.x
• 172.16.x.x
• 127.0.0.1 (localhost)
• Internal virtual machines
• Container endpoints
• Network appliances

These systems are critical - yet they often run unencrypted because public Certificate Authorities are forbidden from issuing SSL certificates for private IPs.

This is not a technical limitation.
It is a global CA/Browser Forum rule designed to prevent misuse.

Public CAs like DigiCert, Let's Encrypt, Sectigo, and GlobalSign:

• must verify domain ownership,
• and cannot validate ownership of private IP ranges.

As a result:

No public CA can issue a valid SSL certificate for a private IP address.

This leaves IT teams with a pressing question:

"How do we secure internal servers that don't have domain names?"

There is only one correct answer:
use a private CA.

2. Why Securing IP Addresses Requires Proper SAN Configuration

Browsers and applications will only trust a certificate for an IP address if that IP is included in the Subject Alternative Name (SAN) field.

Example SAN definition:

[alt_names]
IP.1 = 192.168.1.100
DNS.1 = 192.168.1.100

If the SAN is missing:

• Browsers show warnings
• Tools reject the certificate
• APIs refuse the connection
• TLS fails the identity check

This is why proper SAN configuration is non-negotiable when securing IP-based endpoints.

3. The Only Working Solution: Use a Private CA (e.g., SecureNT)

A Private Certificate Authority is the only reliable method to issue SSL certificates for:

• internal IP addresses
• localhost
• internal hostnames
• server names
• non-public DNS zones

A service like SecureNT Intranet SSL gives companies all the benefits of a private CA - without building or maintaining internal PKI infrastructure.

Private CA advantages for internal IPs:

• Issue certificates for any private IP
• No browser trust errors once the root is installed
• Full control over naming conventions
• Works for internal servers, load balancers, and microservices
• Zero exposure to the public internet

Unlike internal PKI, SecureNT eliminates:

• CA server setup
• root key protection
• CRL/OCSP hosting
• ongoing PKI maintenance
• compliance overhead

You simply order a certificate, install the SecureNT root internally, and deploy.

4. Step-by-Step Guide: How to Generate a CSR for an IP Address

Below is the clearest, most reliable procedure.
You can use either manual config or SecureNT Auto-CSR.

Step 1 - Create a config file (ip-ssl.cnf)

[req]
default_bits = 2048
prompt = no
default_md = sha256
req_extensions = req_ext
distinguished_name = dn

[dn]
CN = 192.168.1.100
O = YourCompany
OU = IT
L = City
ST = State
C = US

[req_ext]
subjectAltName = @alt_names

[alt_names]
IP.1 = 192.168.1.100
DNS.1 = 192.168.1.100

Step 2 - Generate CSR + Private Key

openssl req -new -nodes -out ip.csr -newkey rsa:2048 -keyout ip.key -config ip-ssl.cnf

Your CSR is now ready to submit to SecureNT (or any private CA).

5. Issuing the Certificate Through SecureNT Intranet SSL

Ordering a Private SSL certificate for an IP address is simple:

Step-by-step:

• Visit intranetssl.net
• Enter your IP address
• Upload your CSR or use Auto-CSR (SecureNT generates the keypair & CSR securely)
• Complete the order

Your certificate bundle includes:

• server.cer - your signed SSL certificate
• SecureNT Intranet Root CA.cer
• SecureNT Intranet Intermediate CA.cer
• .p7b or .pfx (for Auto-CSR users)

No PKI setup. No internal CA server.
Just immediate readiness for deployment.

6. Example Installations (Apache, Nginx, IIS)

Apache

SSLEngine on
SSLCertificateFile /etc/ssl/certs/ip.crt
SSLCertificateKeyFile /etc/ssl/private/ip.key
SSLCertificateChainFile /etc/ssl/certs/rootCA.crt

Nginx

server {
listen 443 ssl;
server_name 192.168.1.100;
ssl_certificate /etc/nginx/ssl/ip.crt;
ssl_certificate_key /etc/nginx/ssl/ip.key;
ssl_trusted_certificate /etc/nginx/ssl/rootCA.crt;
}

Windows / IIS

• Import .pfx
• Bind to the IP address in IIS → Site Bindings

7. Installing SecureNT CA Certificates on Client Devices

To avoid trust warnings on browsers and internal applications, install the SecureNT Root + Intermediate CAs on:

• Windows
• macOS
• Linux
• iOS / Android
• Firefox (which uses its own trust store)

Windows

• Right-click → Install Certificate
• Choose Local Machine
• Place into:
  • Trusted Root Certification Authorities
  • Intermediate Certification Authorities

macOS

• Double-click → Keychain Access
• Add to System keychain
• Set to Always Trust

Android

• Security → Encryption & Credentials → Install → CA Certificate

Firefox

• Settings → Privacy & Security → Certificates → Authorities → Import

For enterprise environments:
Use Group Policy or MDM to distribute CA certificates at scale.

8. How to Verify the Installation

OpenSSL Test

openssl s_client -connect 192.168.1.100:443

Browser Test

• Visit https://192.168.1.100
• Confirm the padlock (no warnings)

Certificate Chain Check

Ensure the full chain (Root → Intermediate → Server) is correctly installed.

🔒 Conclusion: Securing IP-Based Endpoints Is No Longer Optional

Internal IP addresses are the backbone of every private network - powering servers, microservices, intranet platforms, and legacy applications. Yet they remain one of the most overlooked areas in internal security.

A public CA cannot help you here. Self-signed certificates create more problems than they solve. Running your own private CA is expensive, complex, and high-risk.

The modern solution is simple:

Use a professionally operated private CA like SecureNT to issue SSL certificates for internal IPs.

It gives you:

• immediate issuance
• trusted internal certificates
• predictable pricing
• no PKI infrastructure to maintain
• fully encrypted, fully authenticated internal traffic

This is the easiest way to eliminate internal TLS gaps - and secure the systems your business relies on every day.