Self-Signed Certificate for Development

HTTPS locally without a commercial certificate.

Self-signed certificates are perfect for development and test environments. They allow working in HTTPS without having to buy a commercial certificate.

However, self-signed certificates should NEVER be used in production because browsers don't trust them.

This guide shows you how to create and use self-signed certificates effectively.

What is a Self-Signed Certificate

Understanding self-signed certificates:

  • Definition: a certificate signed by its own private key, without a certificate authority.
  • No trust: browsers display a warning because the issuer isn't recognized.
  • Valid encryption: encryption works exactly like with a commercial certificate.
  • Limited use: reserved for development, testing, and controlled internal networks.

Development Benefits

Why use self-signed certificates:

  • Free and instant: no cost or validation delay.
  • HTTPS testing: test your code in real HTTPS conditions.
  • Modern APIs: access features that require HTTPS (geolocation, etc.).
  • No dependency: works offline and doesn't depend on external services.

Create a Self-Signed Certificate

Generation with OpenSSL:

  1. Generate private key: create a 2048-bit RSA key.
  2. Create certificate: generate the self-signed certificate with the key.
  3. Configure server: install the certificate on your development server.
  4. Accept exception: add an exception in your browser for this certificate.

OpenSSL Commands

Self-signed certificate generation:

# Generate key + certificate in one command (valid 365 days)
openssl req -x509 -nodes -days 365 -newkey rsa:2048 \
  -keyout localhost.key -out localhost.crt \
  -subj "/CN=localhost"

# With SAN for more flexibility
openssl req -x509 -nodes -days 365 -newkey rsa:2048 \
  -keyout localhost.key -out localhost.crt \
  -subj "/CN=localhost" \
  -addext "subjectAltName=DNS:localhost,DNS:*.localhost,IP:127.0.0.1"

The -nodes flag avoids encrypting the private key with a password.

Best Practices

Tips for self-signed certificates:

  • Never in production: use Let's Encrypt or a commercial certificate for production.
  • Use mkcert: this tool creates a local CA to avoid browser warnings.
  • Include SANs: modern browsers require SANs, not just CN.
  • Document: explain to developers how to accept the certificate.

Checklist

  • Certificate generated with SAN
  • Server configured
  • Exception added to browser
  • Documentation for the team
  • mkcert considered for convenience
  • Not used in production

Frequently Asked Questions

Can I use it in production?

No! Visitors will see scary warnings and most will leave your site.

Why does my browser show a warning?

The certificate isn't signed by a recognized certificate authority.

What is mkcert?

A tool that creates a local CA and installs it in your system to avoid warnings.

Does encryption work?

Yes, TLS encryption works exactly like with a commercial certificate.

How long is it valid?

You choose the duration with -days. For development, 365 days is convenient.

How to trust the certificate?

Add it to your OS's trusted certificate store or use mkcert.

HTTPS Locally

Self-signed certificates are essential for developing in real HTTPS conditions without cost or complexity.

For production, use Let's Encrypt and monitor your certificates with MoniTao.

Useful Links

Ready to Sleep Soundly?

Start free, no credit card required.

Create My Account See pricing