Without divulging TOO much information, I need to setup a web server system that is intended to be used by end users all over the internet.
the use case is such that:
Since the distributed software will be a unique web server on every individual users' machine, I'm unsure how or even if it is possible, to get a THIRD PARTY SIGNED SSL certificate that won't cause trustworthiness errors when the user connects to it via the web browser. Of course it can use self-signed SSL certs but the idea is to avoid the browser warnings so that the end users will implicitly "trust" data coming from their own application running its webserver over SSL.
Is this possible?
Navigate to the site with the cert you want to trust, and click through the usual warnings for untrusted certificates. In the address bar, right click on the red warning triangle and "Not secure" message and, from the resulting menu, select "Certificate" to show the certificate.
Steps to followSign an SSL certificate for localhost. Develop a server using Node. js that is being served up using a localhost SSL certificate. Configure the Firefox web browser and the Postman API client to allow certificates that we have signed as the CA.
The process of purchasing and installing a third-party certificate consists of these steps: Generate a private key. Use the private key plus some identifying information to generate a Certificate Signing Request (CSR). Send the Certificate Signing Request to the certificate authority.
You will never be issued a proper https cert for localhost. It is strictly forbidden. Because reasons.
In short:
/etc/hosts
localhost.foo.local
it may cause localhost
to resolve incorrectly (you've probably seen this class of error before)You can create a root certificate and then create a so-called "self-signed" certificate, signed by the root ca you created. You'll still get the ugly warning screen, but it'll work.
In lieu of actual localhost
certs, I do what Eugene suggests - create a 127.0.0.1 record on a public domain.
You can get free HTTPS certificates for localhost.YOURSITE.com
via Let's Encrypt via https://greenlock.domains. Just choose the DNS option instead of the HTTP File Upload option
*.localhost.example.com
cert and issue each installation a secret xyz.localhost.example.com
(and include it in the public suffix list to prevent attacks on example.com)If you do not get included in the PSL note that:
Update: with things like greenlock that use ACME / Let's Encrypt, this is no longer particularly relevant.
This is probably a really bad idea because we don't want users becoming accustomed to installing Root CAs willy nilly (and we know how that turned out for Lenovo), but for corporate / cloned machines it may be a reasonable low-budget option.
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With