Key and certificate for https on localhost

Excerpt

For using https protocol on a local server a key and certificate file must be created.

The steps to do:

Install openssl
Create your own rootCA with key & certificates
Install the rootCA certificate
Create key & certificate for localhost
Sign the localhost certificate using the rootCA

Here are brief instructions:

Install openssl

The OpenSSL project https://www.openssl.org/ does not distribute any code in binary form but in the openssl wiki there is a page where to find binaries built by the community:
https://wiki.openssl.org/index.php/Binaries

Download the OpenSSL for windows or other OS and install from there only.

There is a ask for supporting the openSSL by spending some money at the end of some installations that can be disabled.

These scripts create all you need for a 'localhost' server. Of course you can change your name (mathertel.de) country (DE) and city (Frankfurt) to your own.

Create your own rootCA

Creating a own CA (Trusted Root Certification Authority) simplifies the setup of further using multiple servers in your personaL (development) environment.

This script creates a 2048 bit rootCA key file and a self-signed certificate. You don't have to repeat this often as the rootCA has a long lifetime of 10 years (3560 days).


openssl req -x509 -sha256 -days 3560 -nodes -newkey rsa:2048 -subj "/CN=mathertel.de/C=DE/L=Frankfurt" -keyout rootCA.key -out rootCA.crt

This will create 2 files: rootCA.crt and rootCA.key that you should keep save and readonly (for the next 10 years).

Install the rootCA certificate

The root certificate rootCA.crt should be added to the trusted certification store in the section "Trusted Root Certification Authority".

Create the key

The following command will create the private key for localhost.


openssl genrsa -out localhost.key

This will create the file: localhost.key.

The only place for this file to stay should be your server in a secure place and should not be reachable or downloadable from the outside.

Create unsigned certificate (CSR)

A certifcate will contain details about the server so using 'localhost' in the Common Name (CN) is required. The other dn-attributes can be changed.

(CSR is for 'Certificate Signing Request')

The other parameters are best practice or requzired for tls certificates. They together can be kept in a configuration file localhost-csr.conf:

[ req ]
default_bits = 2048
prompt = no
default_md = sha256
req_extensions = req_ext
distinguished_name = dn

[ dn ]
C = DE
L = Frankfurt
CN = localhost

[ req_ext ]
subjectAltName = @alt_names

[ alt_names ]
IP.1 = 127.0.0.1

To create the unsigned certificate use the following command:

openssl req -new -key localhost.key -out localhost.csr -config localhost-csr.conf

This will create the file: localhost.key.

Signing the certificate

For this step again a configuration file is helpful localhost-crt.conf:

authorityKeyIdentifier=keyid,issuer
basicConstraints=CA:FALSE
keyUsage = digitalSignature, nonRepudiation, keyEncipherment, dataEncipherment
subjectAltName = @alt_names

[alt_names]
DNS.1 = localhost
IP.1 = 127.0.0.1

To create a signed certificate use the following command:


openssl x509 -req -in localhost.csr -CA rootCA.crt -CAkey rootCA.key -CAcreateserial -out localhost.crt -days 2000 -sha256 -extfile localhost-crt.conf

This will create the file: localhost.crt that will be available to the public for verification tasks.

To verify the just created certificates you can use:


  openssl verify -verbose -CAfile rootCA.crt localhost.crt

The 2 files localhost.crt and localhost.key can be used for running a secure servers like live server or nodejs express based servers.

Using https as the protocol (not http) is required for several features in the browser including workers...

Also the HTTP/2 protocol only works with secure connectivity.