Create an HTTPS Certificate for Localhost Domains

How to Create an HTTPS Certificate for Localhost Domains

If you’re a developer working on local virtual hosts hosted on your computer, you might need to set up HTTPS certificates for these domains to ensure secure connections.

This tutorial will guide you through the process of generating HTTPS certificates for localhost domains.

Please note that these certificates are intended for development purposes only. Do not use self-signed certificates in production! For online certificates, you should use Let’s Encrypt.

Contents hide
1 Certificate Authority (CA)
2 Domain Name Certificate
3 Configure Your Webserver
4 Trust the Local CA
4.1 Windows 10: Chrome, Internet Explorer 11, and Microsoft Edge
4.2 Windows 10: Firefox

Certificate Authority (CA)

Before we dive into generating the certificates for your local domains, we need to create a Certificate Authority (CA) to sign these certificates. Here’s how you can do it:

  1. Open a terminal or command prompt.
  2. Execute the following command to generate the RootCA.pem, RootCA.key, and RootCA.crt files:
openssl req -x509 -nodes -new -sha256 -days 1024 -newkey rsa:2048 -keyout RootCA.key -out RootCA.pem -subj "/C=US/CN=Example-Root-CA"
openssl x509 -outform pem -in RootCA.pem -out RootCA.crt

Please note that Example-Root-CA in the command above is just an example name, and you can customize it to your preference.

Domain Name Certificate

Once we have our CA ready, let’s proceed to create the domain-specific certificates for our local virtual hosts.

Assume you have two domains, fake1.local and fake2.local, hosted on your local machine for development, and you’ve already pointed them to 127.0.0.1 using the hosts file.

  1. Create a new file named domains.ext and list all your local domains in it:
authorityKeyIdentifier=keyid,issuer
basicConstraints=CA:FALSE
keyUsage=digitalSignature, nonRepudiation, keyEncipherment, dataEncipherment
subjectAltName=@alt_names

[alt_names]
DNS.1=localhost
DNS.2=fake1.local
DNS.3=fake2.local
  1. Now, generate the certificates for your local domains with the following commands:
openssl req -new -nodes -newkey rsa:2048 -keyout localhost.key -out localhost.csr -subj "/C=US/ST=YourState/L=YourCity/O=Example-Certificates/CN=localhost.local"
openssl x509 -req -sha256 -days 1024 -in localhost.csr -CA RootCA.pem -CAkey RootCA.key -CAcreateserial -extfile domains.ext -out localhost.crt

Feel free to customize the country, state, city, and name in the first command according to your preferences.

Configure Your Webserver

With the certificates generated, it’s time to configure your web server to use them. For example, if you’re using Apache, you can follow these steps:

  1. Open your Apache configuration file (e.g., httpd.conf or apache2.conf).
  2. Add the following lines to enable SSL and point to your certificates:
SSLEngine on
SSLCertificateFile "/path/to/localhost.crt"
SSLCertificateKeyFile "/path/to/localhost.key"

Replace /path/to/localhost.crt and /path/to/localhost.key with the actual paths to your certificate and private key files.

Trust the Local CA

After configuring your web server, you might encounter a warning about self-signed certificates when accessing your local sites.

To resolve this and get the green lock in your browser, you need to add your newly created local CA to the trusted Root Certificate Authorities.

Here’s how to do it on Windows 10 for popular browsers:

Windows 10: Chrome, Internet Explorer 11, and Microsoft Edge

  1. Windows 10 recognizes .crt files, so you can right-click on RootCA.crt, select Install, and follow the import dialog.
  2. Make sure to select “Trusted Root Certification Authorities” and confirm.

After importing the certificate, you should see the green lock in Chrome, Internet Explorer 11, and Microsoft Edge.

Windows 10: Firefox

There are two ways to get the CA trusted in Firefox.

  1. The simplest method is to make Firefox use the Windows trusted Root CAs by going to about:config in your address bar, and setting security.enterprise_roots.enabled to true.
  2. Alternatively, you can import the certificate manually by navigating to about:preferences#privacy, selecting Certificates, clicking Import, and choosing RootCA.pem. Then, confirm that you want to use this certificate for websites.

Once you’ve completed these steps, your local sites should load without any certificate warnings, and you can safely test and develop with HTTPS enabled.

Remember, the certificates generated through this tutorial are for development purposes only. For production use, make sure to obtain proper certificates from trusted authorities. Happy coding!