IntranetSSL Certificates

What is an IntranetSSL certificate?

An IntranetSSL certificate is a particular type of certificate offered by our commercial Certificate Authority (CA) of choice, GlobalSign. It is similar to offerings from other commercial CAs, and is intended for use on internal or private sites. Its chain is not trusted by default, meaning that unless certain steps are taken, a client will get a certificate not trusted error from their web browser when browsing to a site using such a certificate.

When should I use one?

If your site is intended only to be accessed by staff or faculty, it is hosted on a private IP address, and the userbase is relatively small, you should use an IntranetSSL certificate. The key words "relatively small" are a judgement call that is made by Information Security Services staff, but a rule of thumb is if you can expect that users will all be on managed workstations, or if there are fewer than 100 users, use an IntranetSSL certificate. Otherwise, an OrganisationSSL certificate may be appropriate.

Why would I use one if it causes errors for some?

The succinct answer is because our CA mandates it. GlobalSign is a member of the CA/Browser Forum, which agreed that members should not issue publicly-trusted certificates for sites intended for internal use, or for IP addresses in the RFC1918 ("private") space. This is intended to protect clients - a public certificate issued for a hostname which is not publicly resolvable (or a reserved IP address) can lead to confusion about which site their browser is actually connecting to.

What does this mean at Waterloo?

Windows workstations in Nexus have had the GlobalSign SHA256 IntranetSSL certificate chain added to their operating system's certificate store. Common browsers which use the OS store (Internet Explorer, Chrome, and Edge) will therefore automatically trust this chain and users should not need to know the difference. Firefox does not use the OS store on any platform, and therefore unfortunately needs to have the chain added separately. IST is working to add the chain to managed Firefox installations. Unmanaged workstations will need to install the certificate chain manually. The required certificates are available from Globalsign's page. Installation is usually simply a matter of downloading the required certificates and double-clicking them. IST currently only issues SHA256 certificates, so only the "Non-Public SHA256 Chain" should be required. In Windows, click on the "Download (Binary/DER Encoded)" button for each certificate and then right click and choose install on each downloaded file. On a Mac client, you will need to open Keychain Manager and explicitly trust each of the two certificates.