In a corporate environment, it’s not enough to secure only public-facing websites with SSL certificates. Internal sites—such as dashboards, admin panels, intranet portals, and management consoles—often handle sensitive data and authentication details. If these sites are left unencrypted, credentials and business information can be exposed to anyone on the internal network through packet sniffing or man-in-the-middle attacks.
By using SSL certificates, even internally hosted sites gain the benefits of encryption, authentication, and integrity. Encryption ensures that traffic cannot be read in transit, authentication proves that users are connecting to the legitimate server, and integrity guarantees that data isn’t altered during communication. Implementing SSL across internal sites strengthens the overall security posture, reduces insider threats, and supports compliance with frameworks like the Essential Eight, ISO 27001, and NIST standards.
Prerequisites:
Before requesting and signing an SSL certificate from IIS to our Ubuntu CA, you’ll need to ensure the following are in place:
Ubuntu Certificate Authority (CA) Installed and Configured
- A working Ubuntu server acting as a Certificate Authority.
- OpenSSL or certmonger/easy-rsa configured to issue and sign certificates.
- The CA root certificate exported and trusted by all corporate devices (imported into Group Policy for Windows domain environments).
Domain Environment
- Active Directory DNS resolution working (e.g., secure_baseline.bugnbuyco.local resolves to your IIS server).
- Workstations and servers should trust your internal CA through GPO distribution.
- IIS installed with the Server Certificates role feature enabled.
- A dedicated folder structure for the site (e.g., D:\Sites\secure_baseline\).
- Administrative access to generate a CSR (Certificate Signing Request).
Certificate Request Process
Open IIS Manager and click the “Server Name” then click “Server Certificates“.
Under Actions choose “Create Certificate Request“.
The certificate’s Common Name (CN) must match the DNS record created in Active Directory DNS Manager. In this example, the hostname is “secure_baseline.bugnbuyco.local“.
Fill in the details and click “Next“.
Keep the Cryptographic Service Provider set to its default, and ensure the key length is at least “2048” bits. A 2048-bit key is the current industry minimum for SSL/TLS certificates, providing strong encryption while maintaining broad compatibility with browsers and systems
Give your request a name and location to place the request and click “Finish”.
Open the saved file to get the contents, this can be done in notepad.
—–BEGIN NEW CERTIFICATE REQUEST—–
MIIEeDCCA2ACAQAwgYUxCzAJBgNVBAYTAkFVMREwDwYDVQQIDAhJbnRlcm5hbDER
MA8GA1UEBwwISW50ZXJuYWwxEjAQBgNVBAoMCUJ1Z05CdXlDbzESMBAGA1UECwwJ
AwQBBTAHBgUrDgMCBzAKBggqhkiG9w0DBzAdBgNVHQ4EFgQUit/kqZD7MU6IBoky
/ReDbBtPtdAwDQYJKoZIhvcNAQEFBQADggEBADp3MmhaHCyrWZ7EOqsDhvTwfDcJ
VAEjTR018m6dOUDVK7zsceUJLrAETswNeSAEqk6Oc0l4haxAiH2QAxcU6B4W6cyW
ZRdgjSwL5BRYQLOZ45moY0ea1gjsYCIKHpzE3HjRe6wof/9bii521TLHGw+eo5iJ
wrN5lzGZpniB21zIaFPc8jBOsjuOaJyUkyp3zZxMOyKAge+54d3LBsheMamp/kmC
Mvvrtb2MhzwR6V6YT1WSJPNFPCUrNC/d/k6x2qUBbLQcOb6iXFjJHe+TamExiRyX
76fn7S6zyOso2solLM6yWVVeJFcPmiugnxDpBFIoTNj2dNdLojJHnsjWSAM=
—–END NEW CERTIFICATE REQUEST—–
Signing the Certificate Request
SSH to your Ubuntu Server and access the /root/ca/certs folder and create and copy the contents to a new file called secure_base.csr.
root@ubsrv:~/ca/certs# ls backup ithu.cert ithu.srl secure_base.csr
Next edit the san.cnf file
sudo nano /root/ca/san.cnf
Update the DNS name to the requested URL
[v3_req] authorityKeyIdentifier=keyid,issuer basicConstraints=CA:FALSE keyUsage = digitalSignature, nonRepudiation, keyEncipherment, dataEncipherment extendedKeyUsage = serverAuth subjectAltName = @alt_names [alt_names] DNS.1 = secure_baseline.bugnbuyco.local
Once the files are ready, save the SSL certificate. Run the command to sign the cert you’ll be prompted to enter the certificate password to finalize the process.
openssl x509 -req -in /root/ca/certs/secure_base.csr -CA /root/ca/certs/ithu.cert -CAkey /root/ca/private/ithu.key -CAcreateserial -out /root/ca/certs/secure_base.crt -days 825 -sha256 -extfile /root/ca/san.cnf -extensions v3_req
You will now have the new cert file you can use the cat command to view its contents.
root@ubsrv:~/ca/certs# ls backup bugnbuyco.crt ithu.cert ithu.srl secure_base.crt root@ubsrv:~/ca/certs# cat secure_base.crt -----BEGIN CERTIFICATE----- MIIE5TCCAs2gAwIBAgIUPLvt+5ghdmtBy5AqccuGdo433BcwDQYJKoZIhvcNAQEL BQAwNDELMAkGA1UEBhMCQVUxEzARBgNVBAgMClNvbWUtU3RhdGUxEDAOBgNVBAoM B0lUSFUtQ0EwHhcNMjUwOTI4MDQ0MTA1WhcNMjgwMTAxMDQ0MTA1WjCBhTELMAkG 7aNcj4zdgTRIIA9LVhfxv7op8H8VffZyffuJczt92I4idcu6S2umvBsuvIhLpqiI WsEVELD+F8ne0CNSM3R1W30HFggjlrlqntjH+bbzx0tPEDE25r13ZOXuE7kXSq/4 ms+cw2tZo+zBgxwm0rAp4X75mbw6W5foCTA5qhrs9D5OMgl5/4OONsP812+wDP5Y Gc1nZdASS0SZ4W5z9O+JFuqHqJuouCyRhFCTP4Pv82EkZ4Td1LAf/OpsBFvjoGwA 2/MjwYAPYB7bEIbyywxmOirIvlzyCHhB842XGI5yIOKZr0eHWYzyP2NrrYr20Kn+ uzogy7SIPCMMcpmGRawQ3iYRX+nc0Zmebg46xZdsAGv7F0A607zt0QVvG2ISROas Vzq8ZweZGGoB -----END CERTIFICATE-----
Apply the Signed Cert
Copy the contents back to a txt file on the IIS Server then rename the file from a txt file to a .cer file
Open IIS Manager and click the “Server Name” then click “Server Certificates” and this time choose “Complete Certificate Request“.
Import the .cer file, assign it a friendly name (this will help identify it later when applying the certificate), select Web Hosting as the certificate store, and then click “OK“.
The certificate will now be imported into the IIS server and will be available for deployment once the site configuration is complete.
Summary
In this guide, we walked through the process of requesting and signing an SSL certificate for an IIS site using an internal Ubuntu Certificate Authority. We started with the prerequisites, including setting up the Ubuntu CA, preparing DNS records in Active Directory, and ensuring IIS was ready to generate a CSR. We then covered best practices when creating the certificate request, such as using a minimum 2048-bit key and matching the Common Name to the DNS record. Finally, we demonstrated how to import the signed certificate back into IIS, assign a friendly name, place it in the correct store, and prepare it for deployment.
Securing internal sites with SSL certificates strengthens encryption, trust, and compliance inside the corporate network—helping protect sensitive data and user credentials against internal threats.