Create a Self-signed Certificate on Windows for Local Development

We need to a create self-signed certificate for local development so that the local development server behaves similar to a live production server. Additionally the certificate must not generate warnings in the browser (Chromium based browsers only) that the certificate is self-signed and can’t be trusted.

Developing locally with plain http is just fine. But sometimes we need to mimic development with production so that TLS encryption via https is available also on our development machines. We also don’t want to see ugly security warnings from browsers. The following article shows how to create self-signed certificates on Windows that doesn’t generate browser warnings on Chrome and other Chromium based browsers.

The article is a bit long but please grab a coffee and follow along. The result is worth the effort as you only need to generate the certificate once in a very long time. I set the expiry date 10 years in the future for the domains I create for local development.

Goal: Create an imaginary domain pdb.oak.san with a self-signed certificate that works on major browsers (except Firefox) without generating a warning. Works great on Chromium based browsers like Chrome, Canary, Microsoft Edge and Opera, IE.

Step 1: Setup hostname

  • Open Notepad in Administrator mode: Click Windows Start icon in task bar and start typing Notepad, right click the Notepad icon and click Run as administrator
  • Inside Notepad, open the file: C:\Windows\System32\drivers\etc\hosts
  • We want to create an imaginary domain: pdb.oak.san, add the following line to the hosts file:
127.0.0.1    pdb.oak.san
  • Save the file and close

Step 2: Create a client-side self-signed certificate

  • Open PowerShell in Administrator mode: Click Windows Start icon in task bar and start typing PowerShell, right click the PowerShell icon and click Run as administrator
  • Type the following to generate a self-signed certificate for domain pdb.oak.san with friendly name pdb.oak.san that expires after 10 years:
New-SelfSignedCertificate -CertStoreLocation Cert:\LocalMachine\My -DnsName "pdb.oak.san" -FriendlyName "pdb.oak.san" -NotAfter (Get-Date).AddYears(10)
  • You should get the following output

Step 3: Copy the certificate created in Step 2 to Trusted Root Certification Authorities, then export it

  • Open Management Console for Certificates: Click Windows Start icon and start typing certificates, click Manage computer certificates
  • On the left panel, click Personal -> Certificates, you should see the client-side certificate for pdb.oak.san created above in Step 2
  • On the left panel, open the tree for (but don’t left click the folder) Certification Authorities -> Certificates
  • With the right mouse button, drag and drop the certificate to the location opened in the previous step
  • Now export the certificate: right-click the certificate, All Tasks -> Export…
  • Welcome screen appears, click Next
  • Select Yes, export the private key, click Next
  • Keep the default values for .PFX, click Next
  • Type a password for the private key, click Next
  • Browse for a location and give the certificate a name (cert.pfx), click Next
  • Finally click Finish
  • You will get a notice that the export was successful

Step 4: Create the server-side certificate and key

  • Pre-requisite: you need to have OpenSSL https://www.openssl.org/ installed. Since you are a developer and on Windows, it’s highly likely you already have https://git-scm.com/ installed, so you should also have OpenSSL installed. Otherwise we recommend installing Git for Windows with Git Bash support – this will automatically also install OpenSSL.
  • Open Command Prompt and change directory to the location where you exported the certificate with .PFX extension cert.pfx in Step 3 above.
  • Type the following commands in the Command Prompt one by one. When prompted for password, type the password you used in Step 3 above when exporting the .PFX certificate.
$ openssl pkcs12 -in cert.pfx -nocerts -out key.pem -nodes
$ openssl pkcs12 -in cert.pfx -nokeys -out cert.pem
$ openssl rsa -in key.pem -out server.key
  • You should now have the following files in the folder, we will be using the cert.pem and server.key files. You can delete the other files if you want to.
cert.pem    --> KEEP
server.key  --> KEEP
cert.pfx  
key.pem  

Step 5: Test

  • You can use Apache or Nginx to test the https connection for the pdb.oak.san domain. We will create a simple Go server as it can be created really fast with a few lines of code. Create a file called main.go and type the code below. Make sure cert.pem and server.key is in the same folder as the main.go file.
package main

import (
    "fmt"
    "net/http"
)

func handleHome(w http.ResponseWriter, r *http.Request) {
    _, _ = fmt.Fprintln(w, "Home page to test the TLS cert and secure https connection")
}

func main() {
    http.HandleFunc("/", handleHome)
    s:=http.Server{}
    _ = s.ListenAndServeTLS("cert.pem", "server.key")
}
  • Build and run the Go server: go build main.go, then run the resulting executable program main.exe
  • Now if we visit https://pdb.oak.san/ in a browser, we can see the home page with the following content: “Home page to test the TLS cert and secure https connection”
  • We can also check the certificate by clicking on the lock icon in the browser address bar:

For Nginx Users

To test on Nginx instead of writing Go code, you can use the configuration below.

  • Make sure to copy your cert.pem and server.key to the locations for ssl_certificate and ssl_certificate_key.
  • Folder paths like C:\Users\sanji\pdn\pdb.oak.san\www should of course match the locations in your own computer.
server {
    listen          443 ssl;

    server_name     pdb.oak.san;
    root            C:\Users\sanji\pdn\pdb.oak.san\www;
    access_log      C:\Users\sanji\pdn\pdb.oak.san\logs\access.log;
    error_log       C:\Users\sanji\pdn\pdb.oak.san\logs\error.log;
    index           index.html;

    ssl_certificate     C:\Users\sanji\pdn\pdb.oak.san\ssl\cert.pem;
    ssl_certificate_key C:\Users\sanji\pdn\pdb.oak.san\ssl\server.key;
}

The video below shows the steps I took to setup SSL on an imaginary domain on my local machine. The video is 20 minutes; maybe I could have been done the video in 10 minutes or less. But here I am showing the actual problems I am running into and the steps I am taking to solve them.

Setting up domains, servers and certificates in real-life is not without problems. This is not a scripted video. It shows the problems I face and how I resolve them.


This a scenario where you have created personal certificates and digitally signed them on your own and now you want them available and trusted on another machine.

8 thoughts on “Create a Self-signed Certificate on Windows for Local Development

    1. Thanks, I tried Brave which is Chromium based and it works!
      But, how can I replace the empty page with the message “Home page to test the TLS cert and secure https connection” with the contents of the folder instead (my local web page)?

      Like

      1. Are you sure you want to do that 😊? Unless it’s a download server, listing directory content is not recommended.
        Since you tried the Go example, you can use this bit of code in the handleHome function.

        entries, _ := os.ReadDir(".")
        for _, entry := range entries {
        	_, _ = fmt.Fprintf(w, "%s\n", entry.Name())
        }
        

        Like

  1. The problem is that instead of serving the local web page that main.exe is placed in, which is the point to use a local HTTPS server for development in the first place, it just serves a message on a white background.

    That’s what I meant, not print a list of the files.

    Like

    1. Hmm… I think using the Go program (main.exe) as a file server might serve what you are looking for. Can you try the following?

      fs := http.FileServer(http.Dir("."))
      http.Handle("/", http.StripPrefix("/", fs))
      

      Delete the line:

      http.HandleFunc("/", handleHome)

      This will serve the index.html file located in the same directory as the main.exe.

      Like

      1. Funny thing, I just did this before I see your answer by combining information from another tutorial and the following is all that is needed and works well!
        I don’t know what will be the difference with your version though.

        There are two awesome things here:
        1. I only have to use an arbitrary domain registered in windows like you suggested, with NO numbers, periods to access it on the browser!
        2. No security complaints in Chromium-based browsers!
        What’s left is to figure out what are the security issues.
        Thanks for your contribution!

        Here it is all in all before building it (

        import (
        “fmt”
        “net/http”
        )

        func main() {
        fs := http.FileServer(http.Dir(“./”))
        http.Handle(“/”, fs)

        fmt.Printf(“Starting server\n”)

        s:=http.Server{}
        _ = s.ListenAndServeTLS(“cert.pem”, “server.key”)
        }

        Liked by 1 person

  2. after running the server (main.exe) on the command prompt:

    “2022/10/06 14:07:22 http: TLS handshake error from 127.0.0.1:1945: remote error: tls: bad certificate”

    then from Firefox:
    “has a security policy called HTTP Strict Transport Security (HSTS), which means that Firefox can only connect to it securely. You can’t add an exception to visit this site.”

    Like

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s