How to Implement Trusted SSL Cert on Local Dev Environment?

How about having your local development environment accessible over HTTPS without SSL warning?

As a developer, you may have to work on multiple projects, clients and web applications. One of the prerequisites for web application development is to test the websites locally on the browser during the development phase. Very high chance that the application you are developing will be secured with SSL/TLS certificate in a production environment.

Agree?

How about if you have to test certain functionality leveraging third-party API which requires origin to be https://?

You can say self-signed cert and there is nothing wrong with that. But have you tried accessing self-signed cert implemented site? You will still get cert warning on Chrome and other browsers.

Do you see the Not Secure badge?

Not Good, right?

The best way to having valid SSL cert on the development environment is by managing your own CA and its possible with. An easy to implement which let you have a valid cert on the following local development web address.

  • example.com
  • *.example.com
  • example.test
  • localhost
  • 127.0.0.1
  • ::1

You can implement mkcert on macOS, Windows, CentOS, Ubuntu and other UNIX-based OS. The following example is from Ubuntu.

First thing first, let’s install the network security service tools which has certutil to manage the certificate database.

apt-get updateapt-get install libnss3-tools

You may also need to ensure the brew is installed on your server. If not install using the following command.

apt-get install linuxbrew-wrapper

and, finally, install the mkcert using brew.

brew install mkcert

Note: to install using brew you shouldn’t be root. and it gets installed in /home/$USER/.linuxbrew/bin/mkcert

Where $USER is the username you have used to install

Now, its time to get the local CA installed in the system trust store.

:~/mkcert# /home/chandan/.linuxbrew/bin/mkcert -installUsing the local CA at '/root/.local/share/mkcert' ✨The local CA is now installed in the system trust store! ⚡️:~/mkcert#

And, next, generate a certificate for the development environment. Let’s say you are going to have your website on example.com and you can use the following command to get the certificate and key file.

:~/mkcert# /home/chandan/.linuxbrew/bin/mkcert example.comUsing the local CA at '/root/.local/share/mkcert' ✨Created a new certificate valid for the following names 📜 - 'example.com'The certificate is at './example.com.pem' and the key at './example.com-key.pem' ✅:~/mkcert#

Great! now, I have a valid certificate and its key file ready to use on my Nginx, Apache or other.

Let’s take an example of an Apache HTTP server. If not already, enable the SSL module and configuration.

:/etc/apache2# a2enmod sslConsidering dependency setenvif for ssl:Module setenvif already enabledConsidering dependency mime for ssl:Module mime already enabledConsidering dependency socache_shmcb for ssl:Enabling module socache_shmcb.Enabling module ssl.See /usr/share/doc/apache2/README.Debian.gz on how to configure SSL and create self-signed certificates.To activate the new configuration, you need to run: systemctl restart apache2:/etc/apache2#

As suggested, restart the Apache.

At this point, if youyou will notice the Apache has started with secure port 443.

:/etc/apache2# netstat -anlp |grep 443tcp6 0 0 :::443 :::* LISTEN 11616/apache2:/etc/apache2#

But, we are not done yet. Its started with the default (dummy) cert and we need to replace that.

Modify default-ssl.conf using vi file and replace the following with the path where you have generated the key and cert file.

SSLCertificateFile /root/mkcert/example.com.pemSSLCertificateKeyFile /root/mkcert/example.com-key.pem

Before restarting Apache, you also have to manipulate hosts file for example.com so it resolves to your localhost instead of Internet one. Once you are done, restart the Apache HTTP server and access example.com – you will see a trusted certificate is being served.

Conclusion

This can be handy to have a trusted certificate in local environment. The above is just an example of example.com but you can do for localhost and others. If you need an external signer to issue a certificate then check out.