How to create certificate that will be fully trusted by browsers (green lock) for local development (but on domain other than localhost)


My domain is:

My web server is (include version): nginx/1.13.6

The operating system my web server runs on is (include version): My machine is Windows 10 running Laravel Homestead (Vagrant), which uses Ubuntu 16.04.4 LTS

I can login to a root shell on my machine (yes or no, or I don’t know): yes

I’m using a control panel to manage my site (no, or provide the name and version of the control panel): no

How to get “green lock” SSL certificate on local environment? says:

How do you get the green lock locally? The best option: Generate your own certificate, either self-signed or signed by a local root, and trust it in your operating system’s trust store. Then use that certificate in your local web server. See below for details. If you want a little more realism in your development certificates, you can use minica to generate your own local root certificate, and issue end-entity (aka leaf) certificates signed by it. You would then import the root certificate rather than a self-signed end-entity certificate.

So I installed Minica, used it to create a certificate, set up my local Homestead server to use that certificate, and trusted the certificate in Windows:

Unfortunately, I still get this error:

This page is not secure (broken HTTPS).

Certificate - missing

This site is missing a valid, trusted certificate (net::ERR_CERT_AUTHORITY_INVALID).

Here are the details. I ran:

homestead.bat ssh
sudo apt-get install golang-go
mkdir ~/go_work (probably not even necessary because it will get created automatically later because we will set GOPATH to this)
sudo vim ~/.profile
add this line: export GOPATH=$HOME/go_work
source ~/.profile
go get
mkdir ~/go_work/minica_work
cd ~/go_work/minica_work
~/go_work/bin/minica -domains
cp -r ~/go_work/minica_work/ ~/Code/katievb-laravel

Then open Windows Command Prompt as admin.

cd c:\code\katievb-laravel
certutil -addstore -enterprise -f "Root" minica_work/
  • Windows search > Manage computer certificates
  • Trusted Root Certification Authorities > Certificates > > Open > Details > Copy to File > Next > .DER > C:\code\katievb-laravel\
homestead.bat ssh
sudo mkdir /etc/nginx/ssl/minica
sudo cp go_work/minica_work/ /etc/nginx/ssl/minica/
sudo cp go_work/minica_work/ /etc/nginx/ssl/minica/
sudo vim /etc/nginx/sites-enabled/

Replace these 2 lines:

ssl_certificate     /etc/nginx/ssl/;
ssl_certificate_key /etc/nginx/ssl/;


ssl_certificate     /etc/nginx/ssl/minica/;
ssl_certificate_key /etc/nginx/ssl/minica/;


sudo service php7.2-fpm restart
sudo service nginx stop
sudo service nginx start

Then restart Chrome.

Is it possible to use Let’s Encrypt in the way that I’m hoping? I use the free service so that my local site URL is (which I can then test via my desktop and mobile on my LAN), and I want it to be fully trusted by my browsers (with a green lock).

What are my options? Thanks.

My question is also written here (with a bounty):


Hi @GoTesla,

The short answer is no, you can’t do that with

The long answer is you can’t but for two reasons:

1.-If you use the http-01 challenge, Let’s Encrypt will try to validate your domain resolving the domain, in this case it will always resolve to a private address so Let’s Encrypt won’t connect to it.

2.- In this case, you could use the dns-01 challenge but also, it is not possible using because you can’t add nor modify any DNS record.

In your case, use a real domain (there are even free domains that you can get here ) use for example cloudflare to manage the DNS for your domain (it is also free), create your an A record for one of your subdomains (or your domain) pointing to your private address and use any of the available clients like or certbot to issue a cert for your domain using the dns-01 challenge.

Note: I said to use cloudflare because it is free, you can use only their DNS (there is no need to use its CDN features) and certbot and have support to issue a cert using dns-01 challenge using its API.

Good luck,


@sahsanu I appreciate your suggestions. Somehow, I was able to get it to work as I was originally hoping.

I finally got the address bar to have a green lock and “Secure https” in the address bar even for my local site (even using the service). I updated StackOverflow:


This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.