SSL certificate for internal and external usage

Question

Let's suppose I have a web application that is accessed externally via http://webapp.mydomain.com and internally via http://webapp.intranetservername/

Do I need two SSL certificates? Or can the same SSL certificate be used?

Answer 1

You will need two SSL certificates, and the one for the intranet server will have to be self-signed, because certificate authorities are prohibited from signing certificates for internal domains (as there is no way to verify ownership of such a domain).

It is ordinarily possible to create a single SSL certificate that is valid for multiple domains (by using the Subject Alternate Name extension). However, again, a CA cannot sign one unless they can validate all of the domains it claims to be valid for.

Answer 2

In principle, you can have have a single certificate with two Subject Alternative Names for webapp.mydomain.com and webapp.intranetservername. In practice, that's not realistic, since no CA will issue something to .intranetservername, unless it's also a proper public domain name.

Generally speaking, if .intranetservername isn't a registered domain, no CA will issue a certificate for it, so you will have to use your own CA anyway.

• If you can expect both types of clients (internally and externally) to trust your own CA, you could of course issue a certificate with two SANs with this CA.

• If you expect different types of users (trusting only the default bundles of CAs or trusting your CA too), you'll have to use two certificates, one issued by each. You may also need to bind them to separate IP addresses (but availability of an extra internal IP address on a LAN isn't necessarily a problem).

More fundamentally, is there any good reason why you're calling the same web application, running on the same machine, by two distinct names, whether you access it internally or externally? Why can't people within the intranet talk to webapp.mydomain.com?

I presume this may be an attempt to increase security somehow, but if it's the same machine, it will be on both networks anyway, so I'm not sure what security improvement this name separation brings.

If you really want separate names, you could have them both on your external domain (e.g. webapp.mydomain.com and intranet.mydomain.com), and have a certificate issued by a well-known CA for both (I'm still not sure about the advantage of separating the names on the same machine, though). Indeed, certificate validation is only based on the name, and you can easily have your DNS servers point intranet.mydomain.com to a private IP address (e.g. 10.1.1.1). People from the outside won't be able to access that address, simply because it won't be routed, but it will work fine within your intranet (provided machines on the intranet are able to make DNS requests, some environments block this).

Answer 3

You will need two, since the SSL certification works on domain name, and you have two domain names there.

You could use the same on both, but there would be an error message displayed in most browsers warning users that the cert was not authentic.

You can get around the cost implication of having to register both with Verisign by self-certifying the intranet site, and distributing the self-cert to all of your employee browsers.

Depending on the size of the enterprise and number of users which will access "webapp.intranetservername" this may or may not be cheaper and easier than simply regging both domains with Verisign.