Intranet needs SSL certificate automation more
March 27, 2025

One year ago, ZoTrus Technology launched the CerSign brand intranet SSL certificate. It has been welcomed by users because it effectively solved the problem of users' urgent need for SSL certificates bound to intranet IP addresses, and many users have applied for it. Today, ZoTrus Technology has launched a new product, the Intranet HTTPS Automation Gateway. This article will talk about what is special about this intranet gateway that took a year to build and why it is necessary to launch this product.

1. Intranet traffic security has not received due attention

The Intranet mentioned here refers to the internal office network that cannot be connected to the Internet, such as government extranet and internal network, the internal business management system network, such as the hospital management information system. The author has been treated in one tertiary hospital in Shenzhen. Their internal medical management systems, including the electronic whiteboard system of the nurse station, are all running in plain text HTTP mode in an unsecure manner. The Chrome address bar shows "Not secure” but no one cares about this. This is very unsecure that it does not meet the transmission encryption requirements in the "Medical and Health Institution Network Security Management Measures". It cannot guarantee the security of confidential medical data and seriously violates the compliance requirements of the "Data Security Law" that confidential data transmission must adopt encryption measures.

The hospital management information system is just one of the cases of insecure intranet traffic that the author has found. In fact, many government and corporate office intranet systems are also running in plaintext HTTP mode. These networks that are generally considered to be intranets are actually a large intranet across floors, buildings, and even cities. The reason why these intranet management information systems are limited to intranet operation is precisely because the data managed by these intranets is very important, and almost all of them are confidential information that needs to be protected. However, this confidential information has been running naked in HTTP plain text transmission, which is very unsecure. Relevant organizations must attach great importance to it and must implement HTTPS encryption protection.

2. Intranet SSL certificates still have the same installation and deployment issues as Internet SSL certificates

Two years ago, ZoTrus Technology fully realized the importance and urgency of protecting the security of intranet traffic. It took a year to build an intranet SSL certificate application ecosystem and launched the ZT Browser trusted CerSign brand intranet SSL certificates, which has been welcomed by users. However, the intranet SSL certificate is the same as the Internet SSL certificate. Users still need to apply for the certificate online, complete domain name control validation and identity validation, and install the SSL certificate on the Web server. This is still a very tedious task, especially since all internal management systems provide services to user day and night. It is impossible to restart the Web service in order to install the SSL certificate. This is a real problem encountered by users.

And, in order to meet the requirements of cryptography compliance and network security compliance, the internal management information system also needs SM2 HTTPS encryption transformation, which is even more difficult. Installing the RSA algorithm SSL certificate only requires restarting the Web server, while installing the SM2 SSL certificate requires upgrading and reconstructing the Web server. The commonly used IIS server software cannot be upgraded to support the SM2 algorithm. Therefore, whether users install the RSA algorithm intranet SSL certificate or the SM2 algorithm intranet SSL certificate, they encounter many deployment difficulties. These difficulties have severely hit the enthusiasm of intranet system administrators to deploy SSL certificates. They can only pray that there will be no confidential data leakage incidents, even if intranet users see the browser prompt "Not secure" every day.

3. ZoTrus Intranet Gateway achieves "self-sufficiency" of intranet SSL certificates and completely solves the problem of intranet HTTPS encryption

It is precisely because of the full understanding of the many difficulties users face when deploying intranet SSL certificates, ZoTrus Technology continues to look for better solutions after launching the intranet SSL certificates. That is the ZoTrus HTTPS Automation Gateway Intranet Edition launched today. This is another product innovation after the global launch of the ZoTrus HTTPS Automation Gateway Internet Edition in 2023. Because the intranet cannot be connected to the Internet, it is impossible to connect to the ZoTrus Cloud SSL Service System, and it is impossible to achieve Client-to-Cloud integrated SSL certificate automation management. Therefore, the ZoTrus HTTPS Automation Gateway, which has been widely deployed and used on the Internet, cannot be deployed and used on the Intranet. Although the Internet Edition of the Gateway already supports the automatic issuance of intranet SSL certificates for intranet Web servers, the premise is that the Gateway must be deployed on the Internet.

To automate SSL certificate management in the intranet, the only solution is for the intranet gateway to be "self-sufficiency" and to issue dual-algorithm intranet SSL certificates that are trusted by browsers to internal websites. This requires simplifying the CA system that issues SSL certificates to a mini version, and there must be an issuing root certificate for issuing intranet SSL certificates, and there must also be a certificate revocation management system. As shown in the figure below, the ZoTrus Intranet Gateway has a built-in CA system for issuing intranet SSL certificates, and the issuing root certificate key for issuing SSL certificates is generated and managed by the gateway's built-in HSM card that has been certified by China Commercial Cryptographic Product Certification, and this key is used to issue dual-algorithm intranet SSL certificates. And the intranet gateway has a built-in CRL system for revoking intranet SSL certificates and browsers to query certificate revocation information, providing intranet users with the same certificate revocation service as Internet SSL certificates.

The intranet SSL certificates issued by ZoTrus Intranet Gateway built-in CA system are trusted by ZT Browser because the built-in dual-algorithm SSL issuing root certificate of each intranet gateway is issued by the SM2 and RSA algorithm intranet root CA certificates that are trusted by ZT Browser, and it is limited to issuing dual-algorithm intranet SSL certificates with fixed customer’s organization name and customer’s official domain name for intranet gateway customers. As long as the end user's computer is installed with ZT Browser, not only can the padlock icon and the SM2 encryption icon be displayed normally to implement SM2 HTTPS encryption, but also other commonly used browsers will also trust the RSA algorithm intranet SSL certificate automatically configured by the ZoTrus Intranet Gateway. Intranet users can continue to use their commonly used browsers that only support the RSA algorithm. All browsers will not prompt "Not secure" and can secure and reliably implement HTTPS connections to intranet Web applications.

The ZoTrus Intranet HTTPS Automation Gateway released this time supports three different CPUs and provides two different sizes of products. The small Intranet Gateway based on Intel Atom CPU is only 1.2 kg and the size of a book, which is very suitable for small and medium-sized enterprises to automatically solve the HTTPS encryption problem of the Intranet management information system. The other two Intranet Gateways in 2U standard network security equipment chassis can meet the HTTPS encryption automation application requirements of various application scenarios of government extranets and Intranets of large and medium-sized enterprises and institutions, support up to 510 Intranet web systems, and recommend dual-machine hot standby deployment to ensure uninterrupted HTTPS encryption automation and WAF protection automation services for the internal management system.

4. Only by automating the intranet SSL certificate can the security of intranet traffic be guaranteed

The ZoTrus Intranet HTTPS Automation Gateway adopts the same technical approach as the Internet TLS/SSL certificate automation management (ACME), but it solves the problem that the intranet cannot connect to the cloud SSL certificate automation system, and it achieves "self-sufficiency" of dual-algorithm intranet SSL certificates. It is more reliable than the Internet gateway that needs to rely on ACME cloud services. It completely solves the technical problem of naked plain text HTTP transmission of intranet traffic and will surely become the preferred product for solving the security of intranet traffic.

The reason why the intranet is called an intranet is that its traffic is all confidential data, and it needs HTTPS encryption more than the Internet. HTTPS encryption requires SSL certificates, and the intranet needs SSL certificate automation more, because the intranet application system cannot stop running to install SSL certificates, and it cannot stop running to complete the transformation of SM2 algorithm support. Therefore, the only perfect solution is to deploy the ZoTrus Intranet Gateway in front of the Web server to achieve zero transformation from plaintext HTTP to HTTPS encryption, which truly to ensure the security of confidential data transmission in the intranet and effectively ensure the security of intranet traffic.