• SSL certificate for Localhost

    Nowadays, the use of HTTPS is becoming mandatory for all sites and web applications. However, there is a problem in the development process related to correct testing. Naturally, Let’s Encrypt and other CAs do not issue certificates for localhost, as starting at 1st NOV 2015 the CA/B Forum voted to stop issuance of them. Traditionally, there are two solutions described below.
    SSL Basics/FAQ
      • 1

        Solution 1: Self-Signed SSL

        Self-signed certificates generated via openssl or others. Here is the easiest way to generate a private key and a self-signed certificate for localhost:

        openssl req -x509 -out localhost.crt -keyout localhost.key \
  -newkey rsa:2048 -nodes -sha256 \
  -subj '/CN=localhost' -extensions EXT -config <( \ printf "[dn]\nCN=localhost\n[req]\ndistinguished_name = dn\n[EXT]\nsubjectAltName=DNS:localhost\nkeyUsage=digitalSignature\nextendedKeyUsage=serverAuth")

        But such a certificate will cause trust errors in browsers because there is no corresponding certification authority in the trusted store.

      • 2

        Solution 2: mkcert

        The trick is to register a new domain like localhost.example.com, which locally resolves to 127.0.0.1 (in / etc / hosts), to get the usual certificate for this domain. But such fraud is questionable from a security point of view - at least for public services such a resolving is highly not recommended because of a possible MiTM attack with a change to a hostile IP address. If we restrict ourselves only to the local machine, then this may be a suitable option, although there are also some doubts. In addition, such certificate may be revoked. In any case, there is a simpler and safer option (see below).

        This is mkcert, a simple utility for generating locally trusted certificates with its own certification authority. It works under all OSs and does not require any configuration.

        For Linux

        First you have to install certutil.

        sudo apt install libnss3-tools
-or-
sudo yum install nss-tools
-or-
sudo pacman -S nss

        Then do:

        brew install mkcert

        or compile from source:

        go get -u github.com/FiloSottile/mkcert
$(go env GOPATH)/bin/mkcert

        For MacOS

        Follow the next command:

        brew install mkcert
brew install nss # if you use Firefox

        For Windows

        You can download the collected binaries or use one of the package managers: Chocolatey or Scoop.

        choco install mkcert
-or-
scoop install mkcert
    Latest Wiki Posts
    Categories