Knowledge Base
Can We Order SSL Certificates for Internal IP Addresses and Internal Server Names?
Similar Questions:
Is it possible to obtain SSL certificates for internal IP addresses?
Can public SSL certificates be issued for internal hostnames like server.local?
How can organizations secure internal systems without public SSL certificates?
Overview
Securing internal systems with SSL certificates can be challenging due to industry restrictions on internal IP addresses and hostnames. Public Certificate Authorities (CAs) are prohibited from issuing SSL certificates for private IP ranges (such as 192.168.x.x or 10.x.x.x) and internal names like server.local because these identifiers are not globally unique and could lead to security conflicts.
This article explains why these limitations exist, outlines the CA/Browser Forum Baseline Requirements, and provides practical alternatives for organizations.
Options include:
- assigning public domain names with split-horizon DNS
- deploying an internal Certificate Authority
- leveraging solutions like Sectigo Private PKI
Industry Restrictions
According to the CA/Browser Forum Baseline Requirements:
Public SSL certificates cannot be issued for:
Private IP addresses (e.g., 192.168.x.x, 10.x.x.x)
Internal hostnames (e.g., server.local, intranet.company)
These restrictions exist to prevent misuse and ensure global uniqueness.
Why Are Internal Names/IPs Not Allowed?
Internal names and private IPs are not globally unique.
Issuing public certificates for them could cause security risks and conflicts.
Since November 2015, all public CAs (including Sectigo) have been prohibited from issuing certificates for internal names/IPs.
What Are the Alternatives?
Option 1: Use a Public Domain
Assign a public domain name to your internal server.
Use DNS or split-horizon DNS to resolve internally.
Option 2: Use a Private CA
Set up an internal Certificate Authority (CA) for private IPs and hostnames.
Tools like Microsoft Active Directory Certificate Services or Sectigo Private PKI can help.
Option 3: Sectigo Private PKI Solution
Sectigo offers Private PKI for organizations needing certificates for internal systems.
Benefits:
Full control over issuance
Compliance with internal security policies
Works for internal IPs and hostnames
Summary
Public SSL certificates cannot be issued for internal IPs or internal names.
Use public domains or Private PKI for internal environments.
Related Articles:
Tags:
Need help?
Need help making a purchase? Contact us today to get your certificate issued right away.
Live chat
Click the button below or click "Chat with an Expert" to start chatting with us now!
