How to generate an SSL certificate for a internal-only domain that’s not on the Internet?

i have a domain name :, which is never used outside the company and cannot be reached from the public Internet.

is it possible to generate certificate in my case please ?

Public Certificate Authorities only certify public names.

So while the name needs to be public, the server doesn't need to be. If there's an actual domain name, with public DNS, then one can use the DNS-01 Challenge of creating a TXT record to prove control of the name. This generally works best when it can be automated, either through it being a DNS provider that supports an API, or through something like acme-dns where there's a special-purpose DNS server for providing the TXT record which the normal DNS provider delegates the name to.

If it's actually an internal-only name, for internal-only clients, then you need to look at making your own private CA, rather than trying to use the public WebPKI.


Please see Certificates for localhost - Let's Encrypt


thanks for your answer,
then you need to look at making your own private CA, rather than trying to use the public WebPKI.
=> private CA do you have some suggestions please ?

1 Like

Please check this thread out Local Domain certs with Let's Encrypt CA - #9 by danb35


For small use cases of just a few machines, something like minica or (as mentioned above) step-ca may be what you want, where you make a CA, load the root certificate into the trust store on devices that will be using your internal systems, and issue your own certificates for your servers.

For something larger-scale, there are plenty of enterprise products for making your own CA, from the usual "cloud" players (Microsoft, Amazon, Google, etc.) as well as other paid-for public CAs that offer a private CA management service (DigiCert, Sectigo, etc.).

Either way, it's getting a bit beyond what Let's Encrypt does, which is focused on making it easy for public servers to get domain-validated certificates for use on the Internet. But hopefully those point you in the right direction. For some things, it's easier to just buy a public domain name even if it's not going to be used by anyone outside the organization and use the WebPKI, but many use cases are better served by making one's own private PKI.