How to generate an SSL certificate for a internal-only domain that’s not on the Internet?

For small use cases of just a few machines, something like minica or (as mentioned above) step-ca may be what you want, where you make a CA, load the root certificate into the trust store on devices that will be using your internal systems, and issue your own certificates for your servers.

For something larger-scale, there are plenty of enterprise products for making your own CA, either from a server OS (Microsoft, Red Hat, etc.), the usual "cloud" players (Amazon, Google, etc.), as well as other paid-for public CAs that offer a private CA management service (DigiCert, Sectigo, etc.).

Either way, it's getting a bit beyond what Let's Encrypt does, which is focused on making it easy for public servers to get domain-validated certificates for use on the Internet. But hopefully those point you in the right direction. For some things, it's easier to just buy a public domain name even if it's not going to be used by anyone outside the organization and use the WebPKI, but many use cases are better served by making one's own private PKI.

8 Likes