Geekflare
Geekflare is supported by our audience. We may earn affiliate commissions from buying links on this site.
By Chandan Kumar in Development  |  Last updated: September 1, 2019
Share on:

How to Implement Trusted SSL Cert on Local Dev Environment?

local dev ssl
Invicti Web Application Security Scanner – the only solution that delivers automatic verification of vulnerabilities with Proof-Based Scanning™.

How about having your local development environment accessible over HTTPS without SSL warning?

As a developer, you may have to work on multiple projects, clients and web applications. One of the prerequisites for web application development is to test the websites locally on the browser during the development phase. Very high chance that the application you are developing will be secured with SSL/TLS certificate in a production environment.

Agree?

How about if you have to test certain functionality leveraging third-party API which requires origin to be https://?

You can say self-signed cert and there is nothing wrong with that. But have you tried accessing self-signed cert implemented site? You will still get cert warning on Chrome and other browsers.

Do you see the Not Secure badge?

Not Good, right?

The best way to having valid SSL cert on the development environment is by managing your own CA and its possible with mkcert. An easy to implement which let you have a valid cert on the following local development web address.

  • example.com
  • *.example.com
  • example.test
  • localhost
  • 127.0.0.1
  • ::1

You can implement mkcert on macOS, Windows, CentOS, Ubuntu and other UNIX-based OS. The following example is from Ubuntu.

First thing first, let’s install the network security service tools which has certutil to manage the certificate database.

apt-get update
apt-get install libnss3-tools

You may also need to ensure the brew is installed on your server. If not install using the following command.

apt-get install linuxbrew-wrapper

and, finally, install the mkcert using brew.

brew install mkcert

Note: to install using brew you shouldn’t be root. and it gets installed in <span class="s1">/home/$USER/.linuxbrew/bin/mkcert</span>

Where $USER is the username you have used to install

Now, its time to get the local CA installed in the system trust store.

root@geekflare:~/mkcert# /home/chandan/.linuxbrew/bin/mkcert -install
Using the local CA at "/root/.local/share/mkcert" ✨
The local CA is now installed in the system trust store! ⚡️

root@geekflare:~/mkcert#

And, next, generate a certificate for the development environment. Let’s say you are going to have your website on example.com and you can use the following command to get the certificate and key file.

root@geekflare:~/mkcert# /home/chandan/.linuxbrew/bin/mkcert example.com
Using the local CA at "/root/.local/share/mkcert" ✨

Created a new certificate valid for the following names 📜
 - "example.com"

The certificate is at "./example.com.pem" and the key at "./example.com-key.pem" ✅

root@geekflare:~/mkcert#

Great! now, I have a valid certificate and its key file ready to use on my Nginx, Apache or other web servers.

Let’s take an example of an Apache HTTP server. If not already, enable the SSL module and configuration.

root@geekflare:/etc/apache2# a2enmod ssl
Considering dependency setenvif for ssl:
Module setenvif already enabled
Considering dependency mime for ssl:
Module mime already enabled
Considering dependency socache_shmcb for ssl:
Enabling module socache_shmcb.
Enabling module ssl.
See /usr/share/doc/apache2/README.Debian.gz on how to configure SSL and create self-signed certificates.
To activate the new configuration, you need to run:
  systemctl restart apache2
root@geekflare:/etc/apache2#

As suggested, restart the Apache.

At this point, if you netstat you will notice the Apache has started with secure port 443.

root@geekflare:/etc/apache2# netstat -anlp |grep 443
tcp6       0      0 :::443                  :::*                    LISTEN      11616/apache2       
root@geekflare:/etc/apache2#

But, we are not done yet. Its started with the default (dummy) cert and we need to replace that.

Modify default-ssl.conf using vi file and replace the following with the path where you have generated the key and cert file.

SSLCertificateFile      /root/mkcert/example.com.pem
SSLCertificateKeyFile /root/mkcert/example.com-key.pem

Before restarting Apache, you also have to manipulate hosts file for example.com so it resolves to your localhost instead of Internet one. Once you are done, restart the Apache HTTP server and access example.com – you will see a trusted certificate is being served.

Conclusion

This can be handy to have a trusted certificate in local environment. The above is just an example of example.com but you can do for localhost and others. If you need an external signer to issue a certificate then check out how to get that in free.

Thanks to our Sponsors
More great readings on Development
Power Your Business
Some of the tools and services to help your business grow.
  • Invicti
    Invicti uses the Proof-Based Scanning™ to automatically verify the identified vulnerabilities and generate actionable results within just hours.
    Try Invicti
  • Brightdata
    Web scraping, residential proxy, proxy manager, web unlocker, search engine crawler, and all you need to collect web data.
    Try Brightdata
  • Semrush
    Semrush is an all-in-one digital marketing solution with more than 50 tools in SEO, social media, and content marketing.
    Try Semrush
  • Intruder
    Intruder is an online vulnerability scanner that finds cyber security weaknesses in your infrastructure, to avoid costly data breaches.
    Try Intruder