Localhost : why self-signed is better than let's encrypt?

Hi,

In the doc it says:

" It’s possible to set up your own domain name that happens to resolve to 127.0.0.1 , and get a certificate for it using the DNS challenge. However, this is generally a bad idea and there are better options."

Why is it a bad idea? And why would the other options like self-signed be better?

Thanks

3 Likes

https://letsencrypt.org/fr/docs/certificates-for-localhost/ explains the two reason for such certificate:

  • Local dev
  • Apps

For local dev, it’s easier to generate a self-signed certificate valid for a long time than using a DSN challenge with a domain you own.

For apps, you can’t distribute that kind of certificates, because if you do, any of your users have access to the private key and can revoke it.

2 Likes

Thanks for your answer @tdelmas

I forgot to mention it was a Local dev. Well it’s actually more for an internal network with no registered domain than for a local dev.

So it’s just about the fact that is “technically easier”, right?

Another question if you don’t mind. It is also said in the doc that "If you want a little more realism in your development certificates, you can use minica to generate your own local root certificate.

What do they mean by “more realism”?

Thanks again

1 Like

And it doesn’t require to own a domain.

It’s closer to the production environment (because with “real” CA, you don’t have self-signed certificate, but a certificate signed by an intermediate signed by a trusted root)

1 Like

You could also argue that it’s a little more secure because you can be even more sure that the key is right and that the CA didn’t make a mistake. And you can keep the existence of your project a secret from everyone in a way that you can’t do with a public certificate authority.

3 Likes

thanks for the extra explanation @schoen !

anyway, I had to use makecert in the end… I needed smth easy and quick… minica’s doc and support are not giving information on how to use generated files… and I know nothing about certs.

minica is even advising you to use makecert actually

3 Likes

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.