With data security at the forefront of every organization’s priorities, securing internal communication has become just as significant as safeguarding external traffic. For companies with an internal network or intranet used by employees, using HTTPS through SSL certificates can help ensure encrypted connections and data integrity. While commonly associated with public websites, SSL certificates are just as applicable within private networks. In this tutorial, we’ll walk through the step-by-step process for setting up an SSL certificate for your company’s intranet network.
Understanding the Importance of SSL on an Intranet
SSL (Secure Sockets Layer), now typically referred to as TLS (Transport Layer Security), enables encrypted communication between a user’s browser and your internal servers. This ensures that login credentials, sensitive internal data, and proprietary business communications are shielded from prying eyes, even inside your own organization.
Using SSL within your intranet offers several benefits:
- Data Encryption: Prevents data leaks by encrypting all information transferred between the user and server.
- User Authentication: Ensures users are connected to your authorized servers, not malicious impostors.
- Internal Trust: Builds a culture of data security and shows employees the company prioritizes their privacy.
Pre-requisites Before You Begin
Before jumping into installing an SSL certificate, ensure you have the following:
- Administrator access to your internal web server.
- Private or public Certificate Authority (CA) you trust within your network.
- A domain name mapped to your internal service (e.g., portal.company.local).
Whether you’re using a self-signed certificate, setting up your internal CA, or purchasing a standard SSL certificate from a vendor depends on your company’s policy and intranet setup.
Step-by-Step Guide to Installing an SSL Certificate
Step 1: Generate a Certificate Signing Request (CSR)
The Certificate Signing Request is the key component of certificate creation. It includes your public key as well as important information about your company.
- Log into the server where the certificate will be installed.
- Run the following OpenSSL command:
openssl req -new -newkey rsa:2048 -nodes -keyout server.key -out server.csr - You will be prompted to enter details like:
- Country Name (2-letter code)
- State/Province
- Organization Name
- Common Name (your intranet domain, e.g., intranet.company.local)
This process will give you two files: server.key (your private key) and server.csr (Certificate Signing Request).
Step 2: Obtain the SSL Certificate
There are three options for obtaining your SSL certificate:
- Internal Certificate Authority: Most corporate environments run their own Certificate Authority via tools like Microsoft Certificate Services or OpenSSL. Submit your CSR to your internal CA and generate a certificate file (.crt or .cer).
- Self-signed Certificate: If your use is limited and trust can be managed internally, you can directly create a self-signed certificate:
openssl x509 -req -days 365 -in server.csr -signkey server.key -out server.crt - Third-Party CA: Though not common for intranet setups for cost reasons, companies may opt for a certificate from public providers like DigiCert or Let’s Encrypt (via acme internal configuration).
Step 3: Install the Certificate on Your Server
The installation process varies depending on your server. Here are some examples:
Apache:
SSLEngine on
SSLCertificateFile /path/to/server.crt
SSLCertificateKeyFile /path/to/server.keyRemember to restart Apache after the configuration changes:
sudo systemctl restart apache2Nginx:
server {
listen 443 ssl;
server_name intranet.company.local;
ssl_certificate /path/to/server.crt;
ssl_certificate_key /path/to/server.key;
location / {
root /usr/share/nginx/html;
index index.html index.htm;
}
}
Reload Nginx configuration:
sudo nginx -t
sudo systemctl reload nginxStep 4: Distribute CA Certificate (if not public)
If you used a private or self-signed certificate, browsers and systems won’t trust it by default. You will have to add your internal CA’s certificate to all client devices:
- Windows: Use Group Policy to push the CA to computers’ trusted root store.
- macOS: Use MDM or Keychain Access to add the CA.
- Linux: Place the CA certificate in
/usr/local/share/ca-certificates/and runupdate-ca-certificates.
Testing the Installation
After installation, it’s crucial to test whether SSL is properly applied:
- Open a browser and navigate to https://intranet.company.local.
- The browser should show a padlock if it trusts the certificate.
- Use SSL verification tools like SSL Labs or OpenSSL to validate:
openssl s_client -connect intranet.company.local:443
If you get warnings about untrusted certificates, revisit Step 4 to ensure your CA certificate is properly installed on client machines.
Maintaining Your SSL Setup
Installing an SSL certificate is not a one-time task; you must keep it maintained:
- Track Expiry Dates: Set calendar reminders 30 days in advance or enable auto-renew if supported.
- Rotate Keys Regularly: Modern security practices recommend rotating keys every 1–2 years.
- Log Certificate Usage: Monitor logs to ensure only approved users and devices are accessing via HTTPS.
Troubleshooting Common Issues
- Certificate Not Trusted: Make sure the internal CA is registered as a trusted root in the operating system or browser.
- SSL Handshake Failures: Check logs on the server and verify cipher suites, protocols, and certificate paths.
- Mixed Content Warnings: Ensure that all internal assets (CSS, JavaScript, images) are loaded via
https://.
Final Thoughts
Implementing SSL on your intranet is one of the most effective steps toward securing your internal operations. With growing remote workforces and increasing internal digital touchpoints, privacy within your walls is just as critical as protection on the web. Following the above step-by-step guide will not only encrypt your traffic but will also establish a stronger foundation of trust, compliance, and professionalism within your organization.
SSL is no longer an optional luxury—even in private networks, it’s a necessity. Don’t let your intranet be the weakest link in your security chain.
