
I have a webapp running in a public domain using a ssl certitifcate provided by https://gethttpsforfree.com/

It works like a charm.

The problem is that sometimes i need to install this webapp directly in clients servers in intranet networks (not in my domain) and it need another certificates for a specific hostname in clients intranet.

Since, I don't want to share my real domain private key nor add security exception for each client browser connected, how to solve this problem?

In step 2 of https://gethttpsforfree.com/ I can add others domains to be secured, I think it would resolve the issue, but not sure if by creating a new certificate will invalidate my previous one.

Anyone can give me any tips on how figure out this problem ?

Update: Actually, I found a way:

1) Create a subdomain in my internet domain;

2) Generate a let's encrypt certificat for this subdomain (internet.domain.pem and internet.domain.key);

3) Set the webapp(apache) with this internet.domain.pem and internet.domain.key;

4) Set the intranet dns of internet.domain to intranet webapp server;

The certificates are valid in my docker containers tests, worked like expected. But, I'm not sure if is nothing wrong with using a intranet.domain.com to generate a valid certificate to use in intranet only changing dns intranet.

Can someone help me see if I'm generating some critical security issue (and what is) ?

  • You have to generate a new certificate for each client, please note a LetsEncrypt certificate is only valid for 3 months, and the renewal process requires both internet access and specific software requirements. LetsEncrypt certificates while they can be used for SSL between client devices are not meant for that purpose. Getting your own paid certificate, signed by a CA, will solve this problem for length of the certificate at least.
    – Ramhound
    Commented Jul 2, 2016 at 11:21
  • To improve my future questions, can someone tell me why the -1 on this ?
    – ton
    Commented Jul 2, 2016 at 13:02
  • There isn't anything you can do to improve this question, because the reason for the vote, was the lack of research on your part. I felt that because you don't understand how Let's Encrypt certificates work, despite the huge amount of documentation and training that does exist on them, your asking to do something that isn't actually possible. In order to use a Let's Encrypt certificate, ownership of the domain must be verified by the foundation behind Let's Encrypt, since your unable to verify you own a domain that only exists on a local network that verification step cannot be completed.
    – Ramhound
    Commented Jul 2, 2016 at 13:09
  • @Ramhound, I think understand how "let's encrypt" works for the internet, I was just looking for a way to use this in my webapss intranet. Huge docs you quote are focused on internet domains, not the intranet. Please read my post's update. I do want your opnion before post it as a answer.
    – ton
    Commented Jul 2, 2016 at 14:43

2 Answers 2


Let's Encrypt (which gethttpsforfree.com is based on) needs to validate that you 'own' the domain you are trying to generate a certificate for, either by setting a public DNS entry for the domain or by creating a particular file reachable via HTTP at that domain (see https://letsencrypt.org/how-it-works/).

However, as this is about an intranet domain, it is by its very nature not publicly accessible. This means that Let's Encrypt can't use either of these methods to validate the domain, so you can't generate a certificate that way. Even when adding extra domains in step 2, these need to be verified in the same way.

The only option I know of is to create your own Certificate Authority, make the client browsers trust that CA, and then generate your own certificates for the domains in question, but I think you stated in the question that you wanted to avoid that.


I found a way:

1) Create a subdomain in my internet domain;

2) Generate a let's encrypt certificat for this subdomain (intranet.domain.com.pem and intranet.domain.com.key);

3) Set the webapp(apache) with this intranet.domain.com.pem and intranet.domain.com.key;

4) Set the intranet dns of intranet.domain.com to intranet webapp server;

Then, now I have a valid signed and trusted certificate running in my intranet.

You must log in to answer this question.

Not the answer you're looking for? Browse other questions tagged .