How to create a SSL cert for two sites, external and internal

Hello,
We have a site https://www.external.com (digitally signed at this moment and is external facing or out to the world) but the server that hosts that site internally is https://internal_server.test.local which is not digitally signed.

So, how to request a single SSL for www.external.com and internal_server.test.local ?

Thanks for your help
namergSystems AdministratorAsked:
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

x
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Cliff GaliherCommented:
if the internal facing site is really .local or is any other domain name you don't publicly own, the short answer is you don't.  Public CAs have either stopped allowing private domains, even in SAN certificates, or have signed on to do so in such a near future that you'd be wasting money.

You'd either want two site listeners, and sign the internal one with a private certificate from an internal CA, but only clients that trust the internal CA would be able to visit the site without errors. Or you could run split DNS and have internal users use the same address as external users, and just get to a different IP address (avoiding out-and-back-in hairpinnining on routers), but if you are delivering content based on the visited domain, that may not be an option either.

In short, you can't do what you want. But finding a suitable workaround really depends on your needs.
2
namergSystems AdministratorAuthor Commented:
Thanks Cliff. I am a new employee on this company and by looking at the Personal/Certificates it appears that *.domain.com was issued by the internal Root CA. I was expecting to see Issued by Digicert.

So, It appears that https://www.domain.com which is digitally signed and http://internal_server.test.local not digitally signed are both local or internal sites.

So, again how can i create an SLL submitted by our internal CA to have domain.com and test.local ?

Thanks for your help,
0
David FavorLinux/LXD/WordPress/Hosting SavantCommented:
The easiest way is to only use IPs with public DNS entries + use https://LetsEncrypt.org certs setup for auto-renewal + only reference sites by public names.

So your local IP might be referenced by test.domain.com (as an example).

As Cliff mentioned, you can't associate an SSL cert with a non-public IP + expect things to work as you expect... where things includes browsers + email + anything else using an SSL cert.
1

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
SSL / HTTPS

From novice to tech pro — start learning today.