Use an Internal CA to Secure Your Intranet

Why Use an Internal CA for SSL?

Many financial institutions self-host or run their intranet behind firewalls or VPNs. For these environments, a public SSL certificate can be overkill or inappropriate - especially if internal DNS isn't resolvable externally. That's where an internal certificate authority (CA) comes in.

Internal CAs allow you to issue valid HTTPS certificates for internal domains like intranet.bankname.local or internal.simplifyit - without exposing private servers to the public internet.

How It Works

Setting up SSL via internal CA is straightforward:

• Create or use an existing Windows Server CA or Linux-based CA
• Issue a certificate for the internal hostname (e.g., intranet.bankname.local)
• Install the certificate on the web server hosting the intranet
• Distribute the internal root CA to all employee devices (via Group Policy or manual install)

Once trusted, users will see a valid HTTPS connection - even with no public certificate involved.

When This Is the Right Approach

This strategy is ideal for:

• On-premises deployments of SimplifyIT or other intranet software
• Air-gapped or segmented environments that require security without internet exposure
• Institutions with Group Policy or MDM to centrally trust internal certificates

Other Options

If you're not ready to run your own CA, consider:

• Let's Encrypt for public domains (if intranet is public-facing or reverse-proxied)
• Wildcard certificates from a public CA - e.g., *.yourorg.com
• HTTPS termination at the firewall with internal-only traffic over HTTP (not preferred)

Related Pages

• Deployment Options - Learn how SimplifyIT supports cloud, on-prem, and hybrid intranet deployments
• Azure App Registration for Intranets - Enable secure API access for email, SharePoint, and login
• SSL for Intranets - Overview page covering internal CAs, Let's Encrypt, and more