Third-Party Signed SSL Certificate for localhost or 127.0.0.1?

by

localhost

You will never be issued a proper https cert for localhost. It is strictly forbidden. Because reasons.

In short:

  • Misconfigured devices actually exist, in the wild, that wait for lookups before resolving localhost from /etc/hosts
  • If a router defines localhost.foo.local it may cause localhost to resolve incorrectly (you’ve probably seen this class of error before)

You can create a root certificate and then create a so-called “self-signed” certificate, signed by the root ca you created. You’ll still get the ugly warning screen, but it’ll work.

localhost.YOURSITE.com (points to 127.0.0.1)

In lieu of actual localhost certs, I do what Eugene suggests – create a 127.0.0.1 record on a public domain.

You can get free HTTPS certificates for localhost.YOURSITE.com via Let’s Encrypt via https://greenlock.domains. Just choose the DNS option instead of the HTTP File Upload option

Point your localhost.MY-SLD.MY-TLD to 127.0.0.1

  • Purchase a *.localhost.example.com cert and issue each installation a secret xyz.localhost.example.com (and include it in the public suffix list to prevent attacks on example.com)
  • Use a greenlock-enabled app to generate such certificates on the fly (through https://letsencrypt.org) directly on the client (or pass them to the client)

If you do not get included in the PSL note that:

  • sessions, localstorage, indexeddb, etc are shared by domain
  • changing the port does not change their sharedness

Be Your Own Root Certificate

Update: with things like greenlock that use ACME / Let’s Encrypt, this is no longer particularly relevant.

This is probably a really bad idea because we don’t want users becoming accustomed to installing Root CAs willy nilly (and we know how that turned out for Lenovo), but for corporate / cloned machines it may be a reasonable low-budget option.

More Related Contents:

  1. How to generate a self-signed SSL certificate using OpenSSL?
  2. Installation SSL in wamp server: Error in httpd-ssl.conf
  3. Security consequences of disabling CURLOPT_SSL_VERIFYHOST (libcurl/openssl)
  4. How can I generate a self-signed certificate with SubjectAltName using OpenSSL? [closed]
  5. Docker container SSL certificates
  6. How do I restore a missing IIS Express SSL Certificate?
  7. Use self signed certificate with cURL?
  8. How to install OpenSSL in windows 10?
  9. How to add subject alernative name to ssl certs?
  10. Difference between self-signed CA and self-signed certificate [closed]
  11. Why does Python requests ignore the verify parameter?
  12. curl: Unknown error (0x80092012) – The revocation function was unable to check revocation for the certificate
  13. Generating client side certificates in browser and signing on server
  14. Java: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
  15. curl: (60) SSL certificate problem: unable to get local issuer certificate
  16. How to get .pem file from .key and .crt files?
  17. SSL certificate rejected trying to access GitHub over HTTPS behind firewall
  18. bypass invalid SSL certificate in .net core
  19. SSL Connection / Connection Reset with IISExpress
  20. SSL Multilevel Subdomain Wildcard
  21. Tomcat Server/Client Self-Signed SSL Certificate
  22. Can you use a service worker with a self-signed certificate?
  23. CNAME SSL certificates
  24. OpenSSL: unable to verify the first certificate for Experian URL
  25. cURL requires CURLOPT_SSL_VERIFYPEER=FALSE
  26. javax.net.ssl.SSLPeerUnverifiedException: Host name does not match the certificate subject provided by the peer
  27. Enable TLSv1.2 and TLS_RSA_WITH_AES_256_CBC_SHA256 Cipher Suite
  28. Java7 Refusing to trust certificate in trust store
  29. Spring Boot SSL Client
  30. Java: Loading SSL Keystore via a resource

Leave a Comment