Localhost : why self-signed is better than let's encrypt?

Franz333 · March 4, 2020, 10:02am

Hi,

In the doc it says:

" It’s possible to set up your own domain name that happens to resolve to 127.0.0.1 , and get a certificate for it using the DNS challenge. However, this is generally a bad idea and there are better options."

Why is it a bad idea? And why would the other options like self-signed be better?

Thanks

tdelmas · March 4, 2020, 10:40am

Certificats pour localhost - Let's Encrypt - Certificats SSL/TLS gratuits explains the two reason for such certificate:

Local dev
Apps

For local dev, it's easier to generate a self-signed certificate valid for a long time than using a DSN challenge with a domain you own.

For apps, you can't distribute that kind of certificates, because if you do, any of your users have access to the private key and can revoke it.

Franz333 · March 4, 2020, 11:19am

Thanks for your answer @tdelmas

I forgot to mention it was a Local dev. Well it’s actually more for an internal network with no registered domain than for a local dev.

So it’s just about the fact that is “technically easier”, right?

Another question if you don’t mind. It is also said in the doc that "If you want a little more realism in your development certificates, you can use minica to generate your own local root certificate.

What do they mean by “more realism”?

Thanks again

tdelmas · March 4, 2020, 11:34am

And it doesn't require to own a domain.

It's closer to the production environment (because with "real" CA, you don't have self-signed certificate, but a certificate signed by an intermediate signed by a trusted root)

schoen · March 5, 2020, 11:03pm

You could also argue that it's a little more secure because you can be even more sure that the key is right and that the CA didn't make a mistake. And you can keep the existence of your project a secret from everyone in a way that you can't do with a public certificate authority.

Franz333 · March 9, 2020, 1:20pm

thanks for the extra explanation @schoen !

anyway, I had to use makecert in the end… I needed smth easy and quick… minica’s doc and support are not giving information on how to use generated files… and I know nothing about certs.

minica is even advising you to use makecert actually

system · April 8, 2020, 1:20pm

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.