A valid Self-Signed SSL Certificate to support HTTPS on Local Application Development that just works.
- Turn your machine into the Root CA Authority that can create valid SSL certificates to your local development apps as many as you like.
- maintain & register your FQDN (locally) that could accessed via Chrome & many modern browser with NO MORE display annoying
ERR_CERT_COMMON_NAME_INVALIDerrors.
Don't see the red lock icon on that https-enabled local domain? Yeah, you right!
FYI, the worksuite.pv is my example of self-defined domain that will registered automatically via this localssl scripts into /etc/hosts file.
I use that domain on one of my server_name in nginx configuration (VirtualHost -equivalent in apache).
Like this:
After once your machine became the Root CA, you need to let Chrome (and any other browser) know that you are now a Trusted CA. To do that, just open chrome://settings/certificates and import your 001-RootCA-*.crt generated via this script (will found on /etc/localssl.certs/ folder).
You just need to do this one time only.
Required Package :
sudo apt-get install openssl ca-certificatesTo implement this on your Linux Box (Debian/Ubuntu/their derivative OS), you have no need to git clone this repo (although clone is the recommended way, IMO). Just download from here and copy the localssl file to folder /usr/local/bin.
cd /tmp
wget https://raw.githubusercontent.com/Dev-Op5/localssl/master/localssl
chmod +x /tmp/localssl
sudo cp /tmp/localssl /usr/local/binOf course, there is no restriction if you wanna fork this repo and changes the code to suit your needs. I'll be happy if you add the functionality to this script to make this more powerful. Please don't hesitate to gimme pull requests.
Example :
mkdir -p ~/LocalSSL
cd ~/LocalSSL
git clone https://github.com/Dev-Op5/localssl.git .
chmod +x localssl
sudo ln -s ~/LocalSSL/localssl /usr/local/bin Ow, I forgot to mention before. This script can only be executed by root user. So, please just use sudo to use this.
To create the Root CA, you just need to launch the command:
localssl initThat will generate the Root CA certification that the files (*.crt, *.key) will found inside the /etc/localssl.certs folder.
To verify the certificates, you can launch the command
localssl infoExample result:
👍 You see it just right! 👽 👽
The generated Root CA is following the current standard of x509v3 Subject Alternative Name that required by modern browser just like Chrome and MacOS/Safari announced on the linked articles. And that's why the browsers will mark this Root CA as Trusted and Valid SSL issuer.
After doing the Root CA initialization, it is recommended to register your Root CA to every browser you need by import the RootCA's *.crt file into the browser settings.
- Chrome Setting (also applied in Chromium, Edge, Vivaldi, Brave) : open the link
chrome://settings/certificatesin your Chrome Address Bar -> then switch to Authorities tab -> click the Import button and add your001-RootCA*.crtfrom/etc/localssl.certsfolder. - Firefox Setting : refer to this article or open the
about:preferencesfrom Firefox Address Bar -> then type to search "Certificates" -> then click the buttonView Certificates. The Certificate Manager window will open, and you can import the*.crton the Authorities tab. - Android Chrome Setting : transfer your
001-RootCA.crtto your Android device, open Android setting, in Security section selectEncryption & Credentials->Install a certificate->CA certificate-> then select the transferred certificate. Note: eventually this custom self-signed Root CA will only be used by Android Chrome Browser and/or WebView apps that using chrome browser as their engine. Other apps (or native apps) don't trust self-signed certificates installed.
Don't worry, you just need to do this one time only, unless you made changes/remove/and-or recreate of your RootCA.
👍 to make Valid Self-Signed SSL accessed from other devices (inside same local network)
You can copy your
001-RootCA*.crtto other machine and do the certificate's import mechanism like explained above to make the other device (within the same local network) could recognized your Root CA as a Valid & Trusted CA issuer.
To create the Client CA, you just need to launch localssl register <space> your-awesome-domain-address
For example:
localssl register laravel9.trialwhich, the laravel9.trial is your chosen domain address that soon to be registered on your Web Server config.
The localssl register command will also generate some certification files (*.crt, *.csr, *.key) inside the same /etc/localssl.certs folder and they also register the new line in your /etc/hosts file some extra entry about your domain.
127.0.0.1 laravel9.trialTo see the certificate details for your domain, just run localssl info followed by your domain as extra parameter, for example:
localssl info laravel9.trialYou can use the *.crt and *.key generated to be attached in your Web Server config, for example:
server {
...
ssl_certificate /etc/localssl.certs/laravel9.trial.crt;
ssl_certificate_key /etc/localssl.certs/laravel9.trial.key;
...
}...
SSLEngine on
SSLCertificateFile /etc/localssl.certs/laravel9.trial.crt
SSLCertificateKeyFile /etc/localssl.certs/laravel9.trial.key
...After restart the web-server, you could access your apps via your browser: https://laravel9.trial -- perfectly with a Valid & Trusted Certificate
To remove the Client CA (one of your previously-created), you just need to launch localssl remove command, for example:
localssl remove laravel9.trialTo remove the Root CA, run localssl purge without any other parameters. This will also remove all of your previous Client CAs.
And yeah -- for your convenience -- the remove and purge procedures also cleanup the /etc/hosts entry. 💚
Just launch localssl help to explore further options, or you can read the source-code instead to understand the pattern of this script.
Scripted with 💚 by @eRQee. This script comes with no licenses (and no warranty) attached. Feel free to fork, copy or modify that.