Localhost : why self-signed is better than let's encrypt?


In the doc it says:

" It’s possible to set up your own domain name that happens to resolve to , and get a certificate for it using the DNS challenge. However, this is generally a bad idea and there are better options."

Why is it a bad idea? And why would the other options like self-signed be better?



https://letsencrypt.org/fr/docs/certificates-for-localhost/ explains the two reason for such certificate:

  • Local dev
  • Apps

For local dev, it’s easier to generate a self-signed certificate valid for a long time than using a DSN challenge with a domain you own.

For apps, you can’t distribute that kind of certificates, because if you do, any of your users have access to the private key and can revoke it.


Thanks for your answer @tdelmas

I forgot to mention it was a Local dev. Well it’s actually more for an internal network with no registered domain than for a local dev.

So it’s just about the fact that is “technically easier”, right?

Another question if you don’t mind. It is also said in the doc that "If you want a little more realism in your development certificates, you can use minica to generate your own local root certificate.

What do they mean by “more realism”?

Thanks again

1 Like

And it doesn’t require to own a domain.

It’s closer to the production environment (because with “real” CA, you don’t have self-signed certificate, but a certificate signed by an intermediate signed by a trusted root)

1 Like

You could also argue that it’s a little more secure because you can be even more sure that the key is right and that the CA didn’t make a mistake. And you can keep the existence of your project a secret from everyone in a way that you can’t do with a public certificate authority.


thanks for the extra explanation @schoen !

anyway, I had to use makecert in the end… I needed smth easy and quick… minica’s doc and support are not giving information on how to use generated files… and I know nothing about certs.

minica is even advising you to use makecert actually


This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.