A self-signed certificate is a type of SSL/TLS certificate that is generated and signed by the individual or organization that owns it, rather than being issued by a trusted Certificate Authority (CA). It is used inside development process to use https on your development server or on developer machine.
Generate self-signed :
We will see how to generate self-signed certificate using:
- .NET Core tool
- Powershell
- OpenSSL
- tool called mkcert
With .NET Core tool:
The .NET Core SDK includes an HTTPS development certificate, and it works with Kestrel
and IIS express
.
You need first to trust it:
1## this will trust the development certificate coming with .NET
2dotnet dev-certs https --trust
3
4## the next command check if you already have a valid certificate and if trusted
5dotnet dev-certs https --check --trust
6
7## the following will check if there is a certificate,
8## if not, it will create one
9dotnet dev-certs https
Where the certificate is stored?
In Windows the certificate is stored in the current user certificate store (the Windows registry). You can access it by running Microsoft Management Console (MMC) and add certificate
snap-in.
With PowerShell
1# the following command create a certificate for localhost address, and store it in local machine store, under personal store
2$cert = New-SelfSignedCertificate -DnsName @("localhost", "localhost") -CertStoreLocation "cert:\LocalMachine\My";
With OpenSSL
1# Generate private key
2openssl genrsa -des3 -out myCA.key 2048
3# Generate root certificate
4openssl req -x509 -new -nodes -key myCA.key -out myCA.pem
5
6# Or you can do it in one statement
7openssl req -nodes -new -x509 -keyout server.key -out server.cert
Where in the provious code:
- -nodes: Generates a private key without password protection
- -new: Generates a new certificate.
- -x509: Use X.509 format
- -keyout: Specifies the file name for the key.
- -out: Specifies the file name for the certificate
The previous comand will prompt for information like country, state, …
Make sure when it comes to specify the DNS name
to use localhost
.
Alternativley you can specify all the details as follows:
1openssl req -nodes -new -x509 -keyout server.key -out server.cert \
2-subj /CN=localhost/O=home/C=US/emailAddress=me@mail.internal \
3-addext "subjectAltName = DNS:localhost,DNS:web.internal,email:me@mail.internal" \
After running the previous command, it will generate two files:
- server.key: the private key.
- server.cert: the certificate.
Now you can use it in NodeJs as follows:
1npx http-server -S -C server.cert -K server.key -p 8080
using tool called mkcert
mkcert: https://github.com/FiloSottile/mkcert
This tool does more to create certificate. It create a local CA
(Certificate Authority), and generate a certificate and store it in the system store, and one more benefit, it store the certificate in firefox store, where the above commands will not work with firefox and you have to create a policy file to trust the generated certificate.