Business owners routinely ask this question. They own 50 to 5,000 computers in their offices, laboratories, campus, and factories/warehouses on a Local Area or Wide Area Network.
They employ Web applications like Office 365, Email, Service Management, SalesForce automation, Payroll, or Human Resource (HR) applications, to name a few, on their internal network. Also, many users often work from home (WFH) using VPN to connect to the Office Network.
Many organizations use Microsoft Active Directory Services. They wish to encrypt the user data traveling between the Server and the Client during the user authentication (LDAPS). Some use high-end applications like ERP, CRM, Analytics, etc where data is stored in a database like Microsoft SQL, Oracle, SAP Sybase SQL, MySQL, PostgreSQL, etc. They also wish to encrypt the SQL data traveling between the Server and the Client using SSL Certificates.
They own a mix of Windows and Linux Servers hosting web applications. These servers may be on-premise or in a data center.
When a web application is hosted by the vendors like Office 365, SalesForce, SAP, etc. good security is already ensured by the vendor. We are not considering these cases here.
Here we are considering users accessing web applications hosted on on-premise or data-center servers, over the LAN/WAN or VPN, connected by Fiber, MPLS, or leased lines. Here, when a user connects to the web application, the server either does not have an SSL Certificate or has a Self-Signed Certificate. In either case, anyone can snoop on the internal network traffic and get access to usernames, passwords, confidential files, or salary records. This ‘anyone’ could be a disgruntled employee or an IT Service engineer or even a hacker who has somehow sneaked into the internal network.
Also, when users Work From Home they use VPN to connect to the Office Network. Here, it is very important to encrypt the data on the VPN network. If not done hackers can steal the login credentials and important data from non-tech savvy users.
Another use case is IoT (or “embedded devices”) that run web services on a local network with no direct internet access, and the device manufacturer would like to offer secure access to the web services using an SSL Certificate.
So, you need an Intranet SSL certificate when you use web applications, or have employees access the office network using a VPN; or an IoT device requires local web services.
You need an Intranet SSL Certificate when you use
- Microsoft LDAP Server or any SQL database
- Web Applications on Intranet
- VPN over Unencrypted Network
- Web services over an HTTP connection
- Self-Signed SSL Certificates
But I use a Self-Signed Certificate already which does the same things!
You might say that a self-signed certificate is enough to protect you with encryption, but is it? Think again.
The PFX file containing the Self-signed certificate is stored somewhere on the internal network. Most of the time, such PFX files do not have a password or have extremely weak passwords like [email protected] If an unauthorized user gets access to it, he can use the Private Key stored inside the PFX file to decrypt the network traffic.
In most organizations, PFX files are not stored in a secure place, away from the internal network. They are casually created by the administrators and are routinely shared with users. This article explains these problems in detail.
Because of the above reasons, it is prudent to use Intranet SSL/TLS Certificates on the internal servers.
Can’t I set up my Private Certifying Authority?
Yes. But it’s very costly, requiring massive infrastructure and highly skilled personnel. Even large size corporates find it prohibitively expensive. So, this option is almost non-existent for most organizations.
Large corporates using Windows Servers use Microsoft Active Directory Certificate Service (ADCS) to set up their own Certifying Authority and issue SSL Certificates. But, this route is for top corporates only. Please read this and this article to understand the difficulties.
I already have SSL certificates for my websites. Can’t I use them for Internal Networks too?
No. CA/Browser Forum does not allow Public CA’s like DigiCert, GlobalSign, EnTrust, Sectigo, Let’s Encrypt, etc. to issue SSL Certificates to IP Addresses (Internal or Public), Server Names, Local Hosts, or internal Web URLs.
Some of these CAs issue Intranet SSL Certificates using non-Public Root Certificates but at a high price. We take a similar approach but offer them at an affordable price.