A repo that setups TLS locally so you are able to have tls using localhost
or 127.0.0.1
using Cloud Flares cfssl tool
For a less manual approach use mkcert
cfssl gencert -initca ca/config.json | cfssljson -bare ./certs/ca
sudo security add-trusted-cert -d -r trustRoot -k /Library/Keychains/System.keychain certs/ca.pem
openssl x509 -outform der -in certs/ca.pem -out certs/ca.crt
sudo cp certs/ca.crt /usr/local/share/ca-certificate
sudo update-ca-certificates
cfssl gencert -ca=certs/ca.pem -ca-key=certs/ca-key.pem localhost/config.json | cfssljson -bare certs/localhost
All your certifcates should now be in the certs directory
To keep things simple I have created a Caddyfile in server directory, you will need to install caddy before running these steps.
This server will use the localhost certs generated previously
caddy run -config server/Caddyfile
$ curl -v https://localhost
* Trying ::1:443...
* Connected to localhost (::1) port 443 (#0)
* ALPN, offering http/1.1
* TLS 1.2 connection using TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
* Server certificate: localhost
* Server certificate: Spazzy Root CA
> GET / HTTP/1.1
> Host: localhost
> User-Agent: curl/7.71.1
> Accept: */*
>
* Mark bundle as not supporting multiuse
< HTTP/1.1 200 OK
< Server: Caddy
< Date: Wed, 25 Nov 2020 10:51:46 GMT
< Content-Length: 13
<
* Connection #0 to host localhost left intact
Hello, world!
As you can see above the certificates are valid
cfssl gencert -ca certs/ca.pem -ca-key certs/ca-key.pem intermediate/config.json | cfssljson -bare certs/intermediate
You need to have both the intermediate and the root CA in your keychain
sudo security add-trusted-cert -d -r trustRoot -k /Library/Keychains/System.keychain certs/intermediate.pem
openssl x509 -outform der -in certs/ca.pem -out certs/ca.crt
sudo cp certs/ca.crt /usr/local/share/ca-certificate
sudo update-ca-certificates
cfssl gencert -ca=certs/intermediate.pem -ca-key=certs/intermediate-key.pem localhost/config.json | cfssljson -bare certs/localhost
This server will use the localhost certs generated previously
caddy run -config server/Caddyfile
* Trying ::1:443...
* Connected to localhost (::1) port 443 (#0)
* ALPN, offering http/1.1
* TLS 1.2 connection using TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
* Server certificate: localhost
* Server certificate: (LOCAL) CA
* Server certificate: (LOCAL) ROOT CA
> GET / HTTP/1.1
> Host: localhost
> User-Agent: curl/7.71.1
> Accept: */*
>
* Mark bundle as not supporting multiuse
< HTTP/1.1 200 OK
< Server: Caddy
< Date: Wed, 25 Nov 2020 11:52:01 GMT
< Content-Length: 13
<
* Connection #0 to host localhost left intact
Hello, world!
As you can see above the certificates are valid