Internal domain with internal DNS

Buchi · March 27, 2026, 2:43pm

Hi all,
I have an internal domain with internal DNS (not publicly accessible).
Can I use a like Let's Encrypt or Sectigo to issue/renew SSL certificates for this setup, or do I need to use an internal CA?
What is the recommended approach?

MikeMcQ · March 27, 2026, 3:15pm

You cannot get a publicly trusted cert without being able to demonstrate control of the domain in the public internet. For Let's Encrypt that is done either with DNS TXT records or HTTP requests using the IP in the public DNS.

You can acquire the cert anywhere and deploy it to a local network. But, you must demonstrate control of that public name somewhere.

You might try something like mkcert for simple cases. Or, perhaps smallstep or Hashicorp Vault to setup a private CA.

See also: Certificates for localhost - Let's Encrypt

Buchi · March 27, 2026, 3:35pm

From my understanding, it’s not possible to obtain a publicly trusted SSL certificate for purely internal domains (e.g., .local, .internal) with internal-only DNS, since public CAs like Let's Encrypt or Sectigo require public domain validation.

Does this mean the only option for such environments is to use a private/internal CA?

Also, how do large organizations typically handle this at scale? Do they rely on split DNS with public domains, internal PKI, or a hybrid approach?

Additionally, is there any scenario where paid CAs such as DigiCert, GlobalSign, or Sectigo would issue certificates for internal-only domains (e.g., via enterprise/private offerings), or is this completely restricted by policy?

Would appreciate any insights or best practices.

petercooperjr · March 27, 2026, 3:40pm

Yes. Or, use a public domain name with a public DNS server, even if that's the only part of the system which is public.

Large organizations I think would generally use an internal PKI, though they're also likely to be running some public DNS servers anyway even for private services.

Paid CAs won't give you publicly-trusted WebPKI certificates for private names. They probably also have product offerings to help you manage a private PKI using their tools.

webprofusion · March 28, 2026, 6:02am

The trick is to move them to fully qualified DNS names that could exist in your public DNS (they don't have to actually exist as public DNS entries). e.g. example-service.corporate.yourdomain.com

That way you can get a cert from a public CA, because the name is a valid public name and you can validate it using a DNS challenge with a public TXT record (e.g. _acme-challenge.example-service.corporate.yourdomain.com).

It doesn't matter that the service itself will be private and not accessible to the public internet, it's just the DNS challenge that has to be completed using your public DNS.

Topic		Replies	Views
How to generate an SSL certificate for a internal-only domain that’s not on the Internet? Help	7	6811	August 18, 2024
ICANN set ’.internal‘ as internal domain,so how to get ssl? Help	6	537	May 29, 2024
SSL certificate for a internal-only domain that's not on the Internet? Help	8	93297	March 6, 2017
How can I use Let's Encrypt to make internal certs? Help	5	24219	March 19, 2023
Implement HTTPS in Local Networks Using Let's Encrypt Help	2	398	June 22, 2024

Internal domain with internal DNS

Related topics