Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

Third-Party Signed SSL Certificate for localhost or 127.0.0.1?

Without divulging TOO much information, I need to setup a web server system that is intended to be used by end users all over the internet.

the use case is such that:

  • end users are (usually) in their homes behind their local firewalls when connecting to the system.
  • The system consists of a remote server hosted by us, strictly over https (using SSL)
  • The authorization mechanism requires user account self-creation on the remote server which, upon successful account creation, will then require a piece of software to be downloaded and installed to the end users' computer. This software contains, among other things, a local webserver.
  • This "local" webserver must also only allow https connections to the user's browser.

Since the distributed software will be a unique web server on every individual users' machine, I'm unsure how or even if it is possible, to get a THIRD PARTY SIGNED SSL certificate that won't cause trustworthiness errors when the user connects to it via the web browser. Of course it can use self-signed SSL certs but the idea is to avoid the browser warnings so that the end users will implicitly "trust" data coming from their own application running its webserver over SSL.

Is this possible?

like image 749
Rimer Avatar asked Jul 22 '11 16:07

Rimer


People also ask

How do I get Chrome to accept self-signed certificates?

Navigate to the site with the cert you want to trust, and click through the usual warnings for untrusted certificates. In the address bar, right click on the red warning triangle and "Not secure" message and, from the resulting menu, select "Certificate" to show the certificate.

Can you get an SSL certificate for localhost?

Steps to followSign an SSL certificate for localhost. Develop a server using Node. js that is being served up using a localhost SSL certificate. Configure the Firefox web browser and the Postman API client to allow certificates that we have signed as the CA.

How do I get a third party SSL certificate?

The process of purchasing and installing a third-party certificate consists of these steps: Generate a private key. Use the private key plus some identifying information to generate a Certificate Signing Request (CSR). Send the Certificate Signing Request to the certificate authority.


1 Answers

localhost

You will never be issued a proper https cert for localhost. It is strictly forbidden. Because reasons.

In short:

  • Misconfigured devices actually exist, in the wild, that wait for lookups before resolving localhost from /etc/hosts
  • If a router defines localhost.foo.local it may cause localhost to resolve incorrectly (you've probably seen this class of error before)

You can create a root certificate and then create a so-called "self-signed" certificate, signed by the root ca you created. You'll still get the ugly warning screen, but it'll work.

  • See https://coolaj86.com/articles/how-to-create-a-csr-for-https-tls-ssl-rsa-pems/

localhost.YOURSITE.com (points to 127.0.0.1)

In lieu of actual localhost certs, I do what Eugene suggests - create a 127.0.0.1 record on a public domain.

You can get free HTTPS certificates for localhost.YOURSITE.com via Let's Encrypt via https://greenlock.domains. Just choose the DNS option instead of the HTTP File Upload option

Point your localhost.MY-SLD.MY-TLD to 127.0.0.1

  • Purchase a *.localhost.example.com cert and issue each installation a secret xyz.localhost.example.com (and include it in the public suffix list to prevent attacks on example.com)
  • Use a greenlock-enabled app to generate such certificates on the fly (through https://letsencrypt.org) directly on the client (or pass them to the client)

If you do not get included in the PSL note that:

  • sessions, localstorage, indexeddb, etc are shared by domain
  • changing the port does not change their sharedness

Be Your Own Root Certificate

Update: with things like greenlock that use ACME / Let's Encrypt, this is no longer particularly relevant.

This is probably a really bad idea because we don't want users becoming accustomed to installing Root CAs willy nilly (and we know how that turned out for Lenovo), but for corporate / cloned machines it may be a reasonable low-budget option.

like image 90
coolaj86 Avatar answered Oct 05 '22 09:10

coolaj86