Here's one of those little petty irritations with SSL: if you want to get a SSL certificate out of a CA without at least a lot of slow discussion, the hostname needs to be in one of your official domains. (It wouldn't surprise me if there were CAs that required the name to exist in your public DNS.)

This may be a local peculiarity, but we prefer to put machines that are on private networks into a set of local private domain names under a top level domain that doesn't exist in the outside world. Among other things, using such names makes it immediately clear if a machine is an internal one or not, and avoids various leaks that tend to cause problems.

(Put simply, our rule is 'private IP, private hostname; public IP, public hostname'.)

But, of course, we can't get SSL certificates for machines with such private names. This is totally fair, but at the same time kind of inconvenient every so often.

(It's fair because if we could get such certificates for our machines, necessarily someone else could also get such certificates for our machines.)

I now wonder if large organizations set up their own CA (and have the CA key installed on all of their machines) so that they can avoid this. Probably this is not a specific concern, although there are other reasons they might want their own CA.

(For the sufficiently cautious, you can worry about the information leak inherent in telling the CA about various of your internal hostnames by asking for SSL certificates. After all, if they're useful hostnames for you they're probably at least somewhat revealing for outsiders.)