How to set up HTTPS for local testing purposes?

Question

I need to see how a web application will work with HTTPS. But I can't really find much information around about it. I tried to set up my local Apache but I can't find a CA autorithy to sign my certificate... Hints? Suggestions?

Answer 1

The possibilities to consider are:

1. Generate your own certificate (self-signed certificate)
2. Get a certificate issued by a known issuer
3. Get a certificate issued by an issuer not recognised by the browser

Nr. 1 is probably the most widely used solution. You can find instructions here. The only disadvantage is that browsers will complaint about the unknown CA. In Firefox, you can just add a permanent exception and get rid of the warning. (Neither Chrome nor Internet Explorer seem to provide such option.)

Nr. 2 normally costs money so it isn't a popular choice for dev environments.

Nr. 3 can be obtained for free (see https://www.cacert.org/) but they also trigger a browser warning. A difference with nr. 1 is that you have the possibility of adding the CA to your browser's trusted authorities; however, that's a serious decision that requires serious consideration because of its security implications. In general, I would not recommend it for mere testing.

Answer 2

Self-signed certificates (as already mentioned) are probably the easiest option for a single host.

If there are a few hosts, you could create a mini CA of your own. There are tools for this, for example:

• CA.pl: a script provided with OpenSSL.
• TinyCA: a tool with a GUI.