HTTPS over intranet, what is the correct way of doing it

Question

So as I understand it intranet ssl certs will no longer be available from 2015, instead to get around this I could generate my own certificates for use and install them on the networked machines. My question is, in that case, does this mean issuing my own certificates would be bad practice? I can't think of any other solutions.

Answer 1

Presumably, by "intranet certificate", you mean a certificate that's issued to a local host name (e.g. "sqlserver" or "mail") or a private IP address.

There's one simple solution to this: use fully qualified domain names, even in an intranet. The clients connecting to your intranet servers will need to use the FQDNs too, but that's generally not very difficult. There's also nothing to prevent you from making your DNS resolve myinternalserver.mycompany.com to any IP address you'd like, including private IP addresses, even if the DNS servers are hosted outside your company's network. (For SSL/TLS verification, you don't even need reverse DNS to work, so that's not a problem.)

Managing your own CA is also a solution, but it can be quite a bit of administrative burden (depending on the size of your environment).

(From a security point of view, I think these intranet certificates shouldn't really exist anyway, since two completely different entities may be issued with distinct certificates valid for the same (relative) identity.)