Yeah I know, this issue has been discussed many time, but the browser environment change. Let's get started.
I'm developing a business SDK which respond to API request on https://127.0.0.1:5001 . This SDK is installed on the customer computer, in order to access some business app on local servers (with authentication).
For now, I've met the recommendation from here : https://letsencrypt.org/docs/certificates-for-localhost/ , and I have my own self signed root certificate installed in the customer computer windows store (public key only) by my setup, and the full ssl certificate from this root embedded in my app, and it worked fine until recently.
Recently, firefox changed the way security.enterprise_roots.enabled works, so firefox didn't recognize the certificate from the windows store. The user has to change this settings manually, which is not ideal. Alternatively, the user has to show a webpage and grant an exception for this certificate, which is also not ideal as my users are not power-users.
Chrome asserted some weeks ago that they will follow the firefox way, and implement their own store certificate, so we will have the same issue soon on this browser, and maybe soon in Edge and Opera...
So I'm looking for alternatives, and I'm back to the old "local.mydomain.com" pointing to 127.0.0.1 / ::1 with an SSL or a Letsencrypt certificate, and the private key disclosure issue.
I'm asking if it will be valid if I can renew the certificate every single day from a central server, with each certificate be valid for only 3 days.
Each computer instance would download new settings and private key at every startup from the central server, so that a private key leak will not be a big issue. The private key will only be loaded on computer memory, and will not be persisted on the customer computer.
What do you think ?