SSL for intranets

How where you informed that you could no longer purchase these certificates? I am not an expert in the cert services field, but how would they know that the certificate is being applied to a resource that is on the intranet rather than the internet?

Is it because you are not submitting the full URL of the resource such as intranet.mydomain.com?

Correct - when you go to renew one, it can't be done because they can only renew top level domains now...according to Geotrust, this is an across the board government regulation, etc...not their choice.

hmm..news to me. thanks for that info.

If that is the case, you could proceed with setting up a PKI infrastructure in the organization.

Most people just set up a windows server, joined to the domain, then install the Cert Serv role and keep the server onine and use Active Directory to store the root cert so that intranet clients will trust the root CA (this would generally take care of any potential issues with the clients). However, if your organization has security policies, this may not meet those requirements. on the Microsoft TechNet site, there are a few good articles on this topic including how-to with regard to the installation.

Adding a PKI infrastructure on your network will not impact any certs you have installed on your intranet web servers.

Great information - thank you! - doing it the way you suggest sounds like nothing even needs to be distributed, or installed on the clients, correct?

pretty much correct. Setting up an online Enterprise root CA is actually very easy. However, if you have requirements such as keeping the root CA offline and having a stand-alone, sub-ordinate issuing CA online, the design, installation, and management/maintenance can get pretty involved. I can tell you from doing this a few years ago.

You can even introduce more than one root enterprise CA into your directory. I would suggest that you read up on this topic a bit more before you bring one online.