How to Implement Trusted SSL Cert on Local Dev Environment?
How about having your local development environment accessible over HTTPS without SSL warning?
As a developer, you may have to work on multiple projects, clients and web applications. One of the prerequisites for web application development is to test the websites locally on the browser during the development phase. Very high chance that the application you are developing will be secured with SSL/TLS certificate in a production environment.
Agree?
How about if you have to test certain functionality leveraging third-party API which requires origin to be https://?
You can say self-signed cert and there is nothing wrong with that. But have you tried accessing self-signed cert implemented site? You will still get cert warning on Chrome and other browsers.
Do you see the Not Secure badge?
Not Good, right?
The best way to having valid SSL cert on the development environment is by managing your own CA and its possible with mkcert. An easy to implement which let you have a valid cert on the following local development web address.
- example.com
- *.example.com
- example.test
- localhost
- 127.0.0.1
- ::1
You can implement mkcert
on macOS, Windows, CentOS, Ubuntu and other UNIX-based OS. The following example is from Ubuntu.
First thing first, let’s install the network security service tools which has certutil
to manage the certificate database.
apt-get update
apt-get install libnss3-tools
You may also need to ensure the brew is installed on your server. If not install using the following command.
apt-get install linuxbrew-wrapper
and, finally, install the mkcert
using brew
.
brew install mkcert
Note: to install using brew you shouldn’t be root. and it gets installed in <span class="s1">/home/$USER/.linuxbrew/bin/mkcert</span>
Where $USER is the username you have used to install
Now, its time to get the local CA installed in the system trust store.
root@geekflare:~/mkcert# /home/chandan/.linuxbrew/bin/mkcert -install
Using the local CA at "/root/.local/share/mkcert" ✨
The local CA is now installed in the system trust store! ⚡️
root@geekflare:~/mkcert#
And, next, generate a certificate for the development environment. Let’s say you are going to have your website on example.com and you can use the following command to get the certificate and key file.
root@geekflare:~/mkcert# /home/chandan/.linuxbrew/bin/mkcert example.com
Using the local CA at "/root/.local/share/mkcert" ✨
Created a new certificate valid for the following names 📜
- "example.com"
The certificate is at "./example.com.pem" and the key at "./example.com-key.pem" ✅
root@geekflare:~/mkcert#
Great! now, I have a valid certificate and its key file ready to use on my Nginx, Apache or other web servers.
Let’s take an example of an Apache HTTP server. If not already, enable the SSL module and configuration.
root@geekflare:/etc/apache2# a2enmod ssl
Considering dependency setenvif for ssl:
Module setenvif already enabled
Considering dependency mime for ssl:
Module mime already enabled
Considering dependency socache_shmcb for ssl:
Enabling module socache_shmcb.
Enabling module ssl.
See /usr/share/doc/apache2/README.Debian.gz on how to configure SSL and create self-signed certificates.
To activate the new configuration, you need to run:
systemctl restart apache2
root@geekflare:/etc/apache2#
As suggested, restart the Apache.
At this point, if you netstat you will notice the Apache has started with secure port 443.
root@geekflare:/etc/apache2# netstat -anlp |grep 443
tcp6 0 0 :::443 :::* LISTEN 11616/apache2
root@geekflare:/etc/apache2#
But, we are not done yet. Its started with the default (dummy) cert and we need to replace that.
Modify default-ssl.conf
using vi
file and replace the following with the path where you have generated the key and cert file.
SSLCertificateFile /root/mkcert/example.com.pem
SSLCertificateKeyFile /root/mkcert/example.com-key.pem
Before restarting Apache, you also have to manipulate hosts
file for example.com so it resolves to your localhost instead of Internet one. Once you are done, restart the Apache HTTP server and access example.com – you will see a trusted certificate is being served.
Conclusion
This can be handy to have a trusted certificate in local environment. The above is just an example of example.com but you can do for localhost and others. If you need an external signer to issue a certificate then check out how to get that in free.