Certificate for development environment

Hello Let’s Encrypt community

This is probably a noob question, but I must ask as I’ve been searching the internet for the past 2 days, and there is a lot of misinformation out there.

I want to add a certificate to my local development server.
Lots of people on the net say that you can create a self-signed certificate, but these don’t work.
Browsers don’t trust self-signed certificates.
Am I able to get a certificate for my local dev server?
The name of my local server is www.tg.loc.
If it can’t be done here, is it possible via another service?

Have a good evening all.

1 Like

Hi @poizn99

simple answer: That’s

not a public visible, worldwide unique domain name. So you can’t create a certificate with that domain name.

Read

Buy a domain, then you can use a lot of subdomains in your configuration. And you can create certificates.

2 Likes

Thank you Juergen.
I appreciate your honesty.

A follow up question: how do other developers simulate a secure connection in their dev environment?
I’ve always worked on my own, so I don’t often get to learn from others.
Your input will be appreciated.

1 Like

They have two options, one of which is more work than the other.

  • They can add trust in their own browsers to a self-signed certificate. Then those browsers will accept that certificate.
  • They can create their own local certificate authority that can issue the web site certificate, and then add trust in their own browsers for that certificate authority.

In both of these cases, the key point is that the general public will not accept the certificates, which is by design—there’s no reason that the general public should believe the certificates’ contents. So the developers have to take some action to modify their browsers’ trust behavior in order to accept something that’s not publicly-trusted.

Alternatively, some developers might work with a public domain name that they have registered and do control and then get a publicly-trusted certificate for it, even for development purposes.

2 Likes

Thanks Schoen.
This is all on my local laptop, so the general public won’t be able to access it.

Have you got a tutorial to do either of those methods reliably?
I’m working on Windows 10, Apache.

There are different options:

  1. In Server-Daten, I have a hidden test system. A copy of the webserver .NET code that runs under a second port, so it’s not possible to connect that port from outside. Same database server, but completely different webserver code. If it works -> copy the code from that test- to the productive system.
    There I can use the same certificate.

  2. Page-development. Customers use their databases daily. But creating a new page is independend. Job done -> add the page to the menu.

  3. Ignore it. An own service, only connected from the databases. A self signed certificate (10 years valid) and code that ignores the self signed error. One time installed, then forget it.

  4. Development on the productive system. Crashes sometimes - happens :wink: - not really a problem. “check your website” - most things are added directly.

3 Likes

@JuergenAuer
Number 4, development on the server… that’s a bad habit that I need to get out of… :smiley:
Developers can be quite naughty.

I think I’ll try figure out how to create my own local certificate authority.
I guess that’s what some of development is about: learning new things, even when they aren’t always practical… lol: developers life.

You can do that (complete suite) with this tutorial:
https://jamielinux.com/docs/openssl-certificate-authority/

This is a bit old and might not have latest feature, but it’s suffecient for local development.

1 Like

Hi Stevenzhu

After doing some yard work for the past few days, I’m back onto this.
Thanks for this.
I’ll give it a go.

While this tutorial is great (I use it myself :smiley:) , I’m not sure how suited it is for Windows environments. Also, if it’s just @poizn99 himself working on his own system (and noone else), why does he need a whole CA setup?

@poizn99 You can also just generate (with OpenSSL for Windows) a self signed certificate and just use that. If you’re the only one working with this and it’s just your own workstation, one single certificate will do just fine. No reason to complicate things like setting up root certificate with intermediate certificates if you’re not going to use it.

You can use the guide posted by @stevenzhu for generating the root certificate and just use that.

1 Like

Hello Osiris

To answer your question, it was mostly just for learning and getting my server setup correctly.
Self-signed certificates don’t work… I tried.
You have to setup a CA, and create certificates via the CA.

I followed the guide and found something similar for Windows and got it all working.

Thanks all
I appreciate the help :slight_smile:

1 Like

Hi @poizn99! Welcome to the forum.

I’ve actually written a documentation page that discusses this problem: https://letsencrypt.org/docs/certificates-for-localhost/

However, I think the best current resource for solving the problem is mkcert (https://github.com/FiloSottile/mkcert). I’ve been meaning to update the certificates-for-localhost page to link to that.

3 Likes

I’ve open the issue for it: https://github.com/letsencrypt/website/issues/1060

1 Like

Hi jsha

Mkcert: what a winner!
Thanks for that.

You are a champion.

1 Like

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.