How about having your local development environment accessible over HTTPS without SSL warning?
As a developer, you may have to work on multiple projects, clients and web applications. One of the prerequisites for web application development is to test the websites locally on the browser during the development phase. Very high chance that the application you are developing will be secured with SSL/TLS certificate in a production environment.
How about if you have to test certain functionality leveraging third-party API which requires origin to be https://?
You can say self-signed cert and there is nothing wrong with that. But have you tried accessing self-signed cert implemented site? You will still get cert warning on Chrome and other browsers.
Do you see the Not Secure badge?
Not Good, right?
The best way to having valid SSL cert on the development environment is by managing your own CA and its possible with mkcert. An easy to implement which let you have a valid cert on the following local development web address.
You can implement
mkcert on macOS, Windows, CentOS, Ubuntu and other UNIX-based OS. The following example is from Ubuntu.
First thing first, let’s install the network security service tools which has
certutil to manage the certificate database.
apt-get update apt-get install libnss3-tools
You may also need to ensure the brew is installed on your server. If not install using the following command.
apt-get install linuxbrew-wrapper
and, finally, install the
brew install mkcert
Note: to install using brew you shouldn’t be root. and it gets installed in
Where $USER is the username you have used to install
Now, its time to get the local CA installed in the system trust store.
[email protected]:~/mkcert# /home/chandan/.linuxbrew/bin/mkcert -install Using the local CA at "/root/.local/share/mkcert" ✨ The local CA is now installed in the system trust store! ⚡️ [email protected]:~/mkcert#
And, next, generate a certificate for the development environment. Let’s say you are going to have your website on example.com and you can use the following command to get the certificate and key file.
[email protected]:~/mkcert# /home/chandan/.linuxbrew/bin/mkcert example.com Using the local CA at "/root/.local/share/mkcert" ✨ Created a new certificate valid for the following names 📜 - "example.com" The certificate is at "./example.com.pem" and the key at "./example.com-key.pem" ✅ [email protected]:~/mkcert#
Great! now, I have a valid certificate and its key file ready to use on my Nginx, Apache or other web servers.
Let’s take an example of an Apache HTTP server. If not already, enable the SSL module and configuration.
[email protected]:/etc/apache2# a2enmod ssl Considering dependency setenvif for ssl: Module setenvif already enabled Considering dependency mime for ssl: Module mime already enabled Considering dependency socache_shmcb for ssl: Enabling module socache_shmcb. Enabling module ssl. See /usr/share/doc/apache2/README.Debian.gz on how to configure SSL and create self-signed certificates. To activate the new configuration, you need to run: systemctl restart apache2 [email protected]:/etc/apache2#
As suggested, restart the Apache.
At this point, if you netstat you will notice the Apache has started with secure port 443.
[email protected]:/etc/apache2# netstat -anlp |grep 443 tcp6 0 0 :::443 :::* LISTEN 11616/apache2 [email protected]:/etc/apache2#
But, we are not done yet. Its started with the default (dummy) cert and we need to replace that.
vi file and replace the following with the path where you have generated the key and cert file.
SSLCertificateFile /root/mkcert/example.com.pem SSLCertificateKeyFile /root/mkcert/example.com-key.pem
Before restarting Apache, you also have to manipulate
hosts file for example.com so it resolves to your localhost instead of Internet one. Once you are done, restart the Apache HTTP server and access example.com – you will see a trusted certificate is being served.
This can be handy to have a trusted certificate in local environment. The above is just an example of example.com but you can do for localhost and others. If you need an external signer to issue a certificate then check out how to get that in free.