SSL CertificatesTrust solutions
Protect website with trusted SSL certificate
$4.45 per year
Instant Trust to your website & services
with EV SSL certificate
Green Address Bar Included
Company [LV]
https://domain.tld
BusinessTrust EV SSL certificate
$86.15 per year Check offer
LEI CODE Get your business identified and transparent globally
Minimaze financial vulnerabilities
Boost OV/EV SSL validation process
Global Business Identifications
$78.00 per year Get LEI Code
Home Wiki SSL Basics / FAQ SSL certificate for Localhost

SSL certificate for Localhost

  • Nowadays, the use of HTTPS is becoming mandatory for all sites and web applications. However, there is a problem in the development process related to correct testing. Naturally, Let’s Encrypt and other CAs do not issue certificates for localhost, as starting at 1st NOV 2015 the CA/B Forum voted to stop issuance of them. Traditionally, there are two solutions described below.

    • 1

      Solution 1: Self-Signed SSL

      Self-signed certificates generated via openssl or others. Here is the easiest way to generate a private key and a self-signed certificate for localhost:

      openssl req -x509 -out localhost.crt -keyout localhost.key \
        -newkey rsa:2048 -nodes -sha256 \
        -subj '/CN=localhost' -extensions EXT -config <( \ printf "[dn]\nCN=localhost\n[req]\ndistinguished_name = dn\n[EXT]\nsubjectAltName=DNS:localhost\nkeyUsage=digitalSignature\nextendedKeyUsage=serverAuth")

      But such a certificate will cause trust errors in browsers because there is no corresponding certification authority in the trusted store.

    • 2

      Solution 2: mkcert

      The trick is to register a new domain like localhost.example.com, which locally resolves to 127.0.0.1 (in / etc / hosts), to get the usual certificate for this domain. But such fraud is questionable from a security point of view - at least for public services such a resolving is highly not recommended because of a possible MiTM attack with a change to a hostile IP address. If we restrict ourselves only to the local machine, then this may be a suitable option, although there are also some doubts. In addition, such certificate may be revoked. In any case, there is a simpler and safer option (see below).

      This is mkcert, a simple utility for generating locally trusted certificates with its own certification authority. It works under all OSs and does not require any configuration.

      For Linux

      First you have to install certutil.

      sudo apt install libnss3-tools
      -or-
      sudo yum install nss-tools
      -or-
      sudo pacman -S nss

      Then do:

      brew install mkcert
                                      

      or compile from source:

      go get -u github.com/FiloSottile/mkcert
      $(go env GOPATH)/bin/mkcert

      For MacOS

      Follow the next command:

      brew install mkcert
      brew install nss # if you use Firefox

      For Windows

      You can download the collected binaries or use one of the package managers: Chocolatey or Scoop.

      choco install mkcert
      -or-
      scoop install mkcert
    • 3

      Step 3: Submit CSR details

      Follow the process and submit all details.

      • Common Name: "KEEP EMPTY"
      • Organization: None, or any other name;
      • Organization Unit (OU): IT, Security or any other;
      • City or Locality: Submit your city;
      • State or Province: Submit your State, Region, Province;
      • Country: ISO-2 country code, like US, LV, RU, CN, make sure it is allowed country;

      Note: Do not submit any key phrase, it will prevent the SSL generation process.

    • 4

      Step 4: Locate CSR file

      You will be able to find the CSR file in working directory once the software finished the process of generation. An alternative command to list out all CSRs on your system.

      ls *.csr
                                      
    • 5

      Step 5: Opening CSR in the console (optional)

      You can open the generated .csr file in the editor using the command below.

      sudo nano new.csr
                                      
    • *

      Example code

      You can open the generated .csr file in the editor using the command below.

      openssl req -out new.csr -new -newkey rsa:2048 -nodes -keyout new.key
          Generating a 2048 bit RSA private key
          writing new private key to 'new.key'
      -----
      You are about to be asked to enter information that will be incorporated
      into your certificate request.
      What you are about to enter is what is called a Distinguished Name or a DN.
      There are quite a few fields but you can leave some blank
      For some fields there will be a default value,
      If you enter '.', the field will be left blank.
      -----
          Country Name (2 letter code) []:LV
          State or Province Name (full name) []:Rigas
          Locality Name (eg, city) []:Rigas
          Organization  (eg, company) []:None
          Organizational Unit Name (eg, section) []:IT
          Common Name (eg, fully qualified host name) []:
          Email Address []:test@test.tld
      
      Please enter the following 'extra' attributes
      to be sent with your certificate request
      A challenge password []:
                                      
    • Conclusion

      That steps are mandatory in order to purchase and order Public IP SSL. You can use that manual to generate classical CSR, just submit Common name.

Fast Issuance within 3-5 minutes

Get a Domain Validation SSL certificate within just 5 minutes using our friendly and automated system. No paperwork, callback or company required.

Price Match 100% Guarantee

Found a better price? We will match it - guaranteed. Get the best possible price in the World with us. The correct place to save your money.

Free SSL 90-day for free

Try 90-day Trial SSL Certificate before the real purchase to test cert's functionality. 99.9% browser and mobile support. Unlimited prolongation.

Money Back 30-day guarantee

Customer satisfaction is our major concern. Get a full refund within 30 days for any purchase of SSL certificates with 100% guarantee.

Speed up SSL issuance with LEI

GoGetSSL™ now offering fastest issuance of SSL on planet due to use of LEI code and API automation. Legal Entity Identifier (or LEI) is a global identity code, just like DUNS. Learn now how LEI may help you.

LEI codes starting at
$78.00
Check LEI offer
1,366,468+Total LEIs issued
224+Jurisdictions supported