Quickly set up Https for localhost

In this blog post, I will show you how to set up working HTTPS with a green lock mark.

Steps to Generate Working SSL certificate For Localhost:

• Create a Root SSL certificate for localhost.
• Make Root Certificate be trusted by System.
• Issue a domain certificate by Root certificate we created in the first step.

If you don’t want to do all these steps then check this out

https://github.com/FiloSottile/mkcert

Before getting into the detail of each step, let’s talk about a few terminologies:

Root Certificate: A Root SSL certificate is a certificate issued by a trusted certificate authority (CA).

The SSL ecosystem is based on a model of trust relationship, also called “chain of trust”. When a device validates a certificate, it compares the certificate issuer with the list of trusted CAs. If a match is not found, the client will then check to see if the certificate of the issuing CA was issued by a trusted CA, and so on until the end of the certificate chain. The top of the chain, the root certificate, must be issued by a trusted Certificate Authority.

Certificate Authority: A Certificate Authority (CA) (or Certification Authority) is an entity that issues digital certificates.

The digital certificate certifies the ownership of a public key by the named subject of the certificate. This allows others (relying parties) to rely upon signatures or assertions made by the private key that corresponds to the public key that is certified.

In this model of trust relationships, a CA is a trusted third party that is trusted by both the subject (owner) of the certificate and the party relying upon the certificate.

In the context of a website, when we use the term digital certificate we often refer to SSL certificates. The CA is the authority responsible for issuing SSL certificates publicly trusted by web browsers.

Anyone can issue SSL certificates, but those certificates would not be trusted automatically by web browsers. Certificates such as these are called self-signed. The CA has the responsibility to validate the entity behind an SSL certificate request and, upon successful validation, the ability to issue publicly trusted SSL certificates that will be accepted by web browsers. Essentially, the browser vendors rely on CAs to validate the entity behind a web site.

CSR: A CSR or Certificate Signing request is a block of encoded text that is given to a Certificate Authority when applying for an SSL Certificate. It is usually generated on the server where the certificate will be installed and contains information that will be included in the certificate such as the organization name, common name (domain name), locality, and country. It also contains the public key that will be included in the certificate. A private key is usually created at the same time that you create the CSR, making a key pair. A CSR is generally encoded using ASN.1 according to the PKCS #10 specification.

A certificate authority will use a CSR to create your SSL certificate, but it does not need your private key. You need to keep your private key secret. The certificate created with a particular CSR will only work with the private key that was generated with it. So if you lose the private key, the certificate will no longer work.

Now let’s create a self-signed certificate trusted by a local system:

Step 1: Root SSL certificate:

The first step is to create a Root SSL certificate. This root certificate can then be used to sign any number of certificates you might generate for individual domains

Generate a RSA-2048 key and save it to a file rootCA.key. This file will be used as the key to generate the Root SSL certificate. You will be prompted for a pass phrase which you’ll need to enter each time you use this particular key to generate a certificate. Open terminal and run below command:

openssl genrsa -des3 -out rootCA.key 2048

The key you generated to create a new Root SSL certificate. Now we can generate root certificate using the above key You’ll also be prompted for other optional information.

openssl req -x509 -new -nodes -key rootCA.key -sha256 -days 1024 -out rootCA.pem

Step 2: Trust the root SSL certificate

Before we use this root certificate we need to tell the system to trust root certificate so all individual certificates issued by it are also trusted.

For Mac:

Open Keychain Access on your Mac and go to the Certificates category in your System keychain. Once there, import the rootCA.pem using File > Import Items. Double click the imported certificate and change the “When using this certificate:” dropdown to Always Trust in the Trust section.

For Windows:

Windows key + R and run certmgr.msc and select `Trusted Root Certification Authorities → certificates →right-click →All Task →import →a then follow the instructions

For Linux:

Depending on your Linux distribution, you can use trust, update-ca-certificates or another command to mark the generated root certificate as trusted.

Step 3: Creating a Domain SSL certificate:

1. Create a new OpenSSL configuration file server.csr.cnf so you can import these settings when creating a certificate instead of entering them on the command line.

[req]
default_bits = 2048
prompt = no
default_md = sha256
distinguished_name = dn
[dn]
C=US
ST=ExampleState
L=ExampleCity
O=Organization
OU=OrganizationUnit
emailAddress=example@mail.com
CN = localhost

2. Create a v3.ext file in order to create an X509 v3 certificate. Notice subjectAltName here.

authorityKeyIdentifier=keyid,issuer
basicConstraints=CA:FALSE
keyUsage = digitalSignature, nonRepudiation, keyEncipherment, dataEncipherment
subjectAltName = @alt_names
[alt_names]
DNS.1 = localhost

3. Create a certificate key for localhost using the configuration settings stored in server.csr.cnf. This key is stored in server.key.

openssl req -new -sha256 -nodes -out server.csr -newkey rsa:2048 -keyout server.key -config ./server.csr.cnf

The root SSL certificate can now be used to issue a certificate specifically for your local development environment located at localhost. A certificate signing request is issued via the root SSL certificate to create a domain certificate for localhost. The output is a certificate file called server.crt.

openssl x509 -req -in server.csr -CA rootCA.pem -CAkey rootCA.key -CAcreateserial -out server.crt -days 800 -sha256 -extfile v3.ext

Now SSL certificate is Ready for Use:

Use server.key and server.crt for setting up SSL for a project:

Below is sample express application demonstrating SSL:

const express = require(‘express’);
const app = express();
const https = require(‘https’);
const fs = require(‘fs’);
const optionSSL = {
 key: fs.readFileSync(“./server.key”),
 cert: fs.readFileSync(“./server.crt”)
};
app.use(express.static(‘public’));
const server= https.createServer(optionSSL, app);
server.listen(443);

In the End:

I hope you find this blog useful. If you like it please upvote and do share it with your friends. If you don’t want to run all these commands by yourself Please check my repository. A set of scripts to quickly generate a HTTPS certificate for your local development environment.

Thank you for reading!