The era of insecure domain names (unencrypted communication over http) is over. Welcome to the era of secure domains (https) with TLS based encryption.
Unencrypted transfer of information over http is not necessarily a bad thing, there are plenty of sites that still server pages without https protocol. If all you need to do is serve information without any need to process forms, then http should be fine. However the norm is now https even for simple sites and Google encourages it, so https it is.
There are free services like Let’s Encrypt to generate TLS certificates, otherwise you have to pay for certificates from Certified Authorities on live production servers. Alternatively you can also serve https pages on a sub-domain like https://yoursite.googleapps.com which is given to you by Google App Engine for your use.
OK, back to the task at hand. We need to a create self-signed certificate for local development so that the local development server behaves similar to a live production server. Additionally the certificate must not generate warnings in the browser (Chromium based browsers only) that the certificate is self-signed and can’t be trusted.
Goal: Create an imaginary domain pdb.oak.san with a self-signed certificate that works on major browsers (except Firefox) without generating a warning. Works great on Chromium based browsers like Chrome, Canary, Microsoft Edge and Opera, IE.
Step 1: Setup hostname
- Open Notepad in Administrator mode: Click Windows Start icon in task bar and start typing Notepad, right click the Notepad icon and click Run as administrator
- Inside Notepad, open the file:
C:\Windows\System32\drivers\etc\hosts - We want to create an imaginary domain:
pdb.oak.san, add the following line to the hosts file:
127.0.0.1 pdb.oak.san
- Save the file and close
Step 2: Create a client-side self-signed certificate
- Open PowerShell in Administrator mode: Click Windows Start icon in task bar and start typing PowerShell, right click the PowerShell icon and click Run as administrator
- Type the following to generate a self-signed certificate for domain
pdb.oak.sanwith friendly namepdb.oak.santhat expires after 10 years:
New-SelfSignedCertificate -CertStoreLocation Cert:\LocalMachine\My -DnsName "pdb.oak.san" -FriendlyName "pdb.oak.san" -NotAfter (Get-Date).AddYears(10)
- You should get the following output
Step 3: Copy the certificate created in Step 2 to Trusted Root Certification Authorities, then export it
- Open Management Console for Certificates: Click Windows Start icon and start typing certificates, click Manage computer certificates
- On the left panel, click Personal -> Certificates, you should see the client-side certificate for pdb.oak.san created above in Step 2
- On the left panel, open the tree for (but don’t left click the folder) Certification Authorities -> Certificates
- With the right mouse button, drag and drop the certificate to the location opened in the previous step
- Now export the certificate: right-click the certificate, All Tasks -> Export…
- Welcome screen appears, click Next
- Select Yes, export the private key, click Next
- Keep the default values for .PFX, click Next
- Type a password for the private key, click Next
- Browse for a location and give the certificate a name (cert.pfx), click Next
- Finally click Finish
- You will get a notice that the export was successful
Step 4: Create the server-side certificate and key
- Pre-requisite: you need to have OpenSSL https://www.openssl.org/ installed. Since you are a developer and on Windows, it’s highly likely you already have https://git-scm.com/ installed, so you should also have OpenSSL installed. Otherwise we recommend installing Git for Windows with Git Bash support – this will automatically also install OpenSSL.
- Open Command Prompt and change directory to the location where you exported the certificate with .PFX extension cert.pfx in Step 3 above.
- Type the following commands in the Command Prompt one by one. When prompted for password, type the password you used in Step 3 above when exporting the .PFX certificate.
$ openssl pkcs12 -in cert.pfx -nocerts -out key.pem -nodes
$ openssl pkcs12 -in cert.pfx -nokeys -out cert.pem
$ openssl rsa -in key.pem -out server.key
- You should now have the following files in the folder, we will be using the cert.pem and server.key files. You can delete the other files if you want to.
cert.pem --> KEEP
server.key --> KEEP
cert.pfx
key.pem
Step 5: Test
- You can use Apache or Nginx to test the https connection for the pdb.oak.san domain. We will create a simple Go server as it can be created really fast with a few lines of code. Create a file called main.go and type the code below. Make sure cert.pem and server.key is in the same folder as the main.go file.
package main
import (
"fmt"
"net/http"
)
func handleHome(w http.ResponseWriter, r *http.Request) {
_, _ = fmt.Fprintln(w, "Home page to test the TLS cert and secure https connection")
}
func main() {
http.HandleFunc("/", handleHome)
s:=http.Server{}
_ = s.ListenAndServeTLS("cert.pem", "server.key")
}
- Build and run the Go server:
go build main.go, then run the resulting executable programmain.exe - Now if we visit https://pdb.oak.san/ in a browser, we can see the home page with the following content: “Home page to test the TLS cert and secure https connection”
- We can also check the certificate by clicking on the lock icon in the browser address bar:
For Nginx Users
To test on Nginx instead of writing Go code, you can use the configuration below.
- Make sure to copy your cert.pem and server.key to the locations for ssl_certificate and ssl_certificate_key.
- Folder paths like
C:\Users\sanji\pdn\pdb.oak.san\wwwshould of course match the locations in your own computer.
server {
listen 443 ssl;
server_name pdb.oak.san;
root C:\Users\sanji\pdn\pdb.oak.san\www;
access_log C:\Users\sanji\pdn\pdb.oak.san\logs\access.log;
error_log C:\Users\sanji\pdn\pdb.oak.san\logs\error.log;
index index.html;
ssl_certificate C:\Users\sanji\pdn\pdb.oak.san\ssl\cert.pem;
ssl_certificate_key C:\Users\sanji\pdn\pdb.oak.san\ssl\server.key;
}
