Certificates for domains behind firewall / intermediate CA

This may be similar to Certificate for local network behind fritzbox (custom domain) or Sign me as an Intermediate CA for my Domain with Name Constraint? or Adding new sub-domains to certificate

My company ReallyBigFoo (not their real name) owns reallybigfoo.com and has a certificate from ExpensiveCA.com for www.reallybigfoo.com for their public-facing website. That’s fine.

We also have a number of servers behind our firewall for internal use only; they’re not accessible outside of our firewall. I’m working with our IT staff on one of them, foo37.reallybigfoo.com, which we want to convert from HTTP to HTTPS. I was surprised to find out that they need to buy another certificate from ExpensiveCA.com for foo37.reallybigfoo.com. We are just trying to get the lock symbol for browsers for our internal staff, and prevent passwords from being transmitted in plaintext.

Here is my question: Is there a way to use Let’s Encrypt for either:

  • obtain a certificate for foo37.reallybigfoo.com (even though it is behind a firewall) and other internal servers
  • obtain an intermediate CA certificate for some subdomain like ca.reallybigfoo.com, so that we can issue our own certificates for servers like foo37.reallybigfoo.com


I apologize; while I understand how public-key encryption and signing works, I don’t quite understand the rules behind TLS certificates.

Yes. There are a couple of possibilities:

  • Set up the external DNS records for foo37 to point to some publicly-accessible server, and run certbot (or any other preferred client) on that. Script the system to copy the cert files to foo37 upon issuance.
  • Use one of the alternate clients with DNS authentication (hopefully someone can link to the whole list; all the bash and go clients support it--I use letsencrypt.sh, but there are many others) running on foo37 or some other convenient machine.
1 Like

Set up the external DNS records for foo37 to point to some publicly-accessible server

ok, I get that one.

Use one of the alternate clients with DNS authentication

do you know of any references I could find to get more info? (just curiosity; someone else would actually be doing it)

I know the letsencrypt.sh docs discuss the DNS challenge a bit. In general, it involves creating TXT records for the hostname in question with cryptographically-determined contents. To be practical, your DNS provider needs to have an API that will allow record changes to be made by software, but many providers do allow that. I’m sure there are other docs which go into more detail, but I’m not sure off the top of my head where they are.

The complete list is List of Client Implementations (if you want to see what all of the bash and Go clients are).

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.