Simpler way to generate HTTPS self-signed certificates for local development

The simplest way to make locally-trusted certificates is to use mkcert, a simple zero-config tool.

Assuming a macOs machine, the process is the following:

Install mkcert

brew install mkcert
brew install nss

Install the local CA in the system trust store

mkcert -install

Generate the certicate for any names you’d like. Here I’m generating one for newsletter.local

mkcert -cert-file fullchain.pem -key-file privkey.pem newsletter.local

Point the new name to the local address in the hosts(/etc/hosts) file if it doesn’t exist already

127.0.0.1 	localhost newsletter.local

fe80::1%lo0 	localhost
::1         	localhost

Here we’re loading the certificates in nginx, storing the certificates in the same location they’d be in production using Let’s Encrypt

server{
	# ipv6
	listen [::]:443 ssl http2 ipv6only=on;
	# ipv4
	listen 443 ssl http2;
	server_name newsletter.local;

	ssl_certificate /etc/letsencrypt/live/newsletter.place/fullchain.pem; 
	ssl_certificate_key /etc/letsencrypt/live/newsletter.place/privkey.pem; 
	include /etc/letsencrypt/options-ssl-nginx.conf; 
	ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; 

	root /srv/newsletter.place/src/public; 

	index index.html;
	
}

Assuming everything was set up correctly we can now see that https://newsletter.local is now using a locally-trusted self-signed certificate, and it’s valid for two years.

HTTPS security overview

HTTPS security detail

Topics: NGINX