localhost
You will never be issued a proper https cert for localhost. It is strictly forbidden. Because reasons.
In short:
- Misconfigured devices actually exist, in the wild, that wait for lookups before resolving localhost from
/etc/hosts
- If a router defines
localhost.foo.local
it may causelocalhost
to resolve incorrectly (you’ve probably seen this class of error before)
You can create a root certificate and then create a so-called “self-signed” certificate, signed by the root ca you created. You’ll still get the ugly warning screen, but it’ll work.
localhost.YOURSITE.com (points to 127.0.0.1)
In lieu of actual localhost
certs, I do what Eugene suggests – create a 127.0.0.1 record on a public domain.
You can get free HTTPS certificates for localhost.YOURSITE.com
via Let’s Encrypt via https://greenlock.domains. Just choose the DNS option instead of the HTTP File Upload option
Point your localhost.MY-SLD.MY-TLD to 127.0.0.1
- Purchase a
*.localhost.example.com
cert and issue each installation a secretxyz.localhost.example.com
(and include it in the public suffix list to prevent attacks on example.com) - Use a greenlock-enabled app to generate such certificates on the fly (through https://letsencrypt.org) directly on the client (or pass them to the client)
If you do not get included in the PSL note that:
- sessions, localstorage, indexeddb, etc are shared by domain
- changing the port does not change their sharedness
Be Your Own Root Certificate
Update: with things like greenlock that use ACME / Let’s Encrypt, this is no longer particularly relevant.
This is probably a really bad idea because we don’t want users becoming accustomed to installing Root CAs willy nilly (and we know how that turned out for Lenovo), but for corporate / cloned machines it may be a reasonable low-budget option.