TLS/SSL certificates on (internal) LAN

Every so often the question is raised about how to do TLS (SSL) on a LAN (internal) network.

While there’s no perfect solution, it can be done by someone who has a smattering of networking knowledge (at least a basic understanding of DNS).

Several years ago I did a presentation on clarionlive showing two solutions:

  1. A self-hosted certificate authority on an Active Directory domain. The downside of this is that it only works for domain computers (not phones or other devices) and requires more IT skill.
  2. Using a commercial certificate and manipulating DNS. This works for ALL devices on a domain. It’s easiest if your LAN has its own DNS (which is a requirement for Active Directory) but can also be used by tweaking one’s internet DNS and configuring port-forwarding on the LAN’s internet firewall.

For option 2 I HIGHLY recommend a purchased certificate, which can cost as little as $13 per year. (Or maybe $60 for a wild-card if you need to support multiple servers). Going through gymnastics to try to obtain Let’s Encrypt certs every 60 to 80 days is not worthwhile if your IT staff (or you) get paid more than $7 per hour!

In case it might be helpful as a reference, I’m attaching the slides I used for that webinar… outlining both approaches.
And this is a link to that webinar:!492



Certificates.pdf (491.4 KB)


This technique, and others for LAN use, are covered at the start of this webinar;

How does IPSEC fit into all of this?

Bruce -

Actually, watching that youtube video was what prompted me to re-post this.

As people who work in technology, we know that often the devil is in the details.

The DNS trick you explain in that NetTalk webinar (and that I’ve seen you describe various times before) is an offshoot of what I showed.

But NOT the same and much less scalable.

Your version of “my” DNS solution involves tweaking an external DNS 4 or 5 times a year in order to get a free Let’s Encrypt cert. And either using port-forwarding or else loopback in the router.

Mine involves a commercial cert, no port-forwarding, no loopback. Those are significant differences.

Your variant is probably the best solution for some businesses. Even there, I’d personally go for the paid 1-year certificate rather than the Let’s Encrypt that expire in 90 days.

The guy you were helping in the most recent webinar has a hosted public web server that wouldn’t work for getting his Let’s Encrypt certs because he can’t run a Windows app.
Spinning up an AWS box for a half hour every 80 days just to acquire the Let’s Encrypt cert is awfully convoluted.
If his network hosts its own internal DNS, none of that is necessary and his existing hosted server will work just fine for purchasing a commercial cert.
Even without his own DNS he could still use his existing hosted domain to purchase a commercial cert and then do your trick with the public DNS and internal router loopback. But if his network is using Active Directory, it WILL have its own DNS.

The commercial cert solution I described in the clarionlive webinar is different from the one that you show.

I’m an administrator on the medium-size network where I contract. We have between 900 and 1000 employees in about 20 facilities. We have a variety of internal web servers - IIS, SSRS, Apache, and NetTalk. It is a medical environment that has regular security audits.

On our network we’ve configured dozens of split DNS domains to support servers that require a commercial cert.
For each server, it involves a one-time item setup in our internal DNS. Then doesn’t need to be touched again.
It requires no port-forwarding to be configured through our firewalls.
It requires no loopback in the firewalls.

Once a year we buy a wildcard certificate using a publically-registered domain name. I then install the cert on our servers.

I take no credit for this brilliant technique. Our IT director learned of it from a post on spiceworks (where the cool kids congregate) that links to this article:

For our servers that are only accessed by domain-joined computers I’ve built an internal certificate authority (with offline root) that’s trusted in Active Directory. That’s convenient because those certs work with the actual server names and no DNS tweak is required.

Even much smaller networks with only a single site can benefit from this split DNS trick with a commercial cert if they’re running Active Directory.

Let’s Encrypt is a great tool.

Router loopback is a great tool if you’ve only got one router and one or two servers.

Not all pegs are round :wink:



1 Like

How does IPSEC fit into all of this?

I don’t think it does, Rick.

What I posted is about certificates for servers that run inside a LAN and need to provide HTTPS connections to internal users. The challenge being that you can’t buy a certificate for “” or for an internal domain name that isn’t publically registered.

Unless you’re talking about configuring VPNs? (That’s been my only experience with IPSEC).
These are a couple of interesting articles on IPSEC vs TLS for VPNs:

Oops, missed your point. I thought you were just trying to encrypt all traffic, not provide HTTPS support.

no, the port-forwarding and router loopback were for a different technique. They are an alternative - if you have those then you don’t need to play games with DNS at all - you can simply assign an internet-valid-domain to the LAN server and everything (LE, local browsing etc) just works for inside and outside. That’s the best version, but requires the port-forwarding which may not be possible.

I agree that a commercial certificate would only need to happen once a year, not 5 times a year, and that’s a significant improvement.

In the webinar, in Mike’s case, there isn’t Active Directory.


Maybe this is also a solution.

We used a Sandbox VM where we installed Certify The Web - simple free certificates for IIS and more, powered by Let’s Encrypt and other ACME CAs

So this machine is working in a dmz and have a mapped drive to the certificate folders of our webservers.
So all our webservers are just working internally but get the lets encrypt certificat from the sandbox machine. So for every domain there is a separated mapped drive. So all 90days the certficates are renewed automatically.

Regards :slight_smile:


The DNS technique with a commercial cert doesn’t require Active Directory, just access to DNS.
I was guessing that for a campus large enough to have a custom app for a roving maintenance staff it’s not likely that they’re using a simple peer-to-peer workgroup. Maybe they are.

You’ve hosted enough webinars where this question has been raised that I thought it worthwhile to congregate some information here. I appreciate your enthusiasm for Let’s Encrypt (that’s what my simple personal hosted domains use). I don’t think it’s generally the best choice for LAN devices.

Although… the Certify The Web link Rob posted presents an option of which I was not aware. I’m going to learn more about that.



1 Like

Very cool, Rob! Thanks. I wasn’t familiar with this option.