Securing communication on a portable intranet (changing IP addresses)

Question

I have the following scenario:

1. A network will be set up on a Windows infrastructure
2. A website will be put on that network - It is not given a domain name and is not available on the internet. It will be addressed only via an internally recognised IP address.
3. A piece of software within that network will communicate with the website (we want to avoid the 'Could not establish trust relationship issue' found with self-signed certificates without reducing security as, I believe, the accepted answer does).
4. The website will also be viewed on tablets and PCs.
5. After a few days, the service will be be put on a different network (with different IPs).
6. It will installed on many PCs/Networks.

I want to secure this via SSL, but it seems tricky following the 2015 update that disallowed IP addresses to have certificates.

This post suggests going via a public IP, but the solution may be completely offline in an area without internet access.

I've spent hours researching, but seem to be missing something.

How should this be done please?

Answer 1

I would setup a DNS server with an app.local domain that gets issued the certificate.

Even if you serve up the intermediate certificates in the TLS handshake (which you should ALWAYS do and not rely on AIA), verifying the chain becomes problematic without Internet access as browsers won't be able to reach the CRL URL (Certificate Revocation List). That is, of course, unless we're talking about your own CA (living in the same network) that issues the site certificate.

If everything you describe runs in a well guarded sandbox then you probably don't need the TLS layer at all, ask yourself WHO is the attacker and WHAT are you protecting.