Creating Trusted Local SSL Certificates for Development
When developing modern web applications, running your local environment over HTTPS is often necessary. Whether you’re integrating third-party APIs, implementing OAuth flows, or testing websocket connections, having proper SSL certificates is crucial. However, dealing with untrusted certificates and constant browser warnings can be frustrating and time-consuming.
This guide will show you how to create and manage trusted SSL certificates for your local development environment, eliminating those annoying browser warnings once and for all.
Prerequisites: This guide assumes you have NGINX and local DNS configured correctly. If not, please refer to our previous guide to get started.
The Problem
Common SSL-related challenges in local development include:
- Browser warnings about untrusted certificates (
NET::ERR_CERT_AUTHORITY_INVALID
) - Issues connecting to local backend services due to certificate trust
- Websocket connection problems
- Time wasted recreating certificates for different projects
- The constant “Not Secure” warning in your browser’s address bar
The Solution
We’ll solve these issues by:
- Creating a local certificate authority (CA)
- Creating SSL certificates for each project and signing them with this CA
- Adding the CA to your browser’s trusted authorities
- Creating additional certificates signed by the same CA for future projects
Quick Setup Using makecrt
I’ve created a convenient bash script to automate this process. You can get it from Github or download it directly:
curl --location -O https://raw.githubusercontent.com/brsc2909/makecrt/main/makecrt && chmod +x makecrt
Using makecrt
The usage is straightforward - run the script as root and specify your domains as arguments. Create separate certificates for each project:
sudo ./makecrt --domains local-app.example.com local-api.example.com
Example output:
Creating extfile
Creating certificate for local-app.example.com
Signature ok
subject=C = IE, ST = Leinster, L = DUBLIN, O = Local CA beast, OU = IT, CN = local-app.example.com
Getting CA Private Key
NGINX config:
ssl_certificate_key /etc/ssl/private/local-app.example.com.key;
ssl_certificate /etc/ssl/certs/local-app.example.com.crt;
Adding the CA to Your Browser
Follow these steps to add the CA certificate to Chrome or other Chromium-based browsers (you only need to do this once):
- Open Chrome Settings and search for “certificates”
- Navigate to Security → Manage Certificates
- Go to the “Authorities” tab
- Click “Import” and select your CA certificate (default location:
/etc/ssl/certs/myLocalRootCA.crt
) - Enable “Trust this certificate for identifying websites”
- Verify your domain appears in the trusted authorities list
Once completed, you’ll see a proper secure connection indicator instead of security warnings.
Advanced Configuration
The script can be customized in two ways:
- Command-line Options
Usage: ./makecrt -d [domain1, domain2...] [options]
options:
-h, --help show brief help
-d, --domains specify domains for certificate use
--days specify certificate validity period (default: 3650)
--CA specify local CA path (default: /etc/ssl/certs/myLocalRootCA.crt)
--CAkey specify local CA private key path
-pd, --private-dir specify private key directory
-cd, --cert-dir specify certificate directory
-e, --eliptic-curve specify elliptic curve type (default: prime256v1)
- Modifying Default Values Edit these variables in the script to match your environment:
# Default configuration
DAYS=3650
CERT_DIR=/etc/ssl/certs
PRIVATE_KEY_DIR=/etc/ssl/private
e_curve=prime256v1
localRootCA=$CERT_DIR/myLocalRootCA.crt
localRootCAkey=$PRIVATE_KEY_DIR/myLocalRootCA.key
EXTFILE=/tmp/_v3.ext
# Organization details
ORG="Local CA $(hostname)"
ORG_UNIT="IT"
COUNTY="DUBLIN"
STATE="Leinster"
COUNTRY="IE"
With this setup, you’ll have a professional-grade local SSL environment that eliminates security warnings and streamlines your development workflow.