Create Certificates for Local HTTPS Development
During development we sometimes need to generate SSL certificates for our application. In this article we’ll generate a key and a root certificate to use in generating other certificates. This can be helpful if you run many applications during development that need ssl certificates. We generate a root certificate so we can trust the root certificate once, and all our generated certificates will be honored by our operating system.
This is meant for development only. It is important to keep the root certificate secure nonetheless.
I like bash. I have used bash for a long time, so we’ll be using that here.
First, we generate our private key. All the certificates will be signed using this one key.
openssl genrsa -aes256 -out myca.key 4096Now we generate a root certificate.
This is the certificate that we can add to our system later. We only need to add this one certificate to the browser, or phone, and we won’t continue to get that self-signed certificate warning. Obviously, self-signed certificates are not suitable for production use. This is for development only.
openssl req -x509 -new -sha512 -nodes -days 36500 \ -key myca.key \ -out myca.crt \ -subj "/C=US/ST=Earth/L=Home/O=myca-Dev/OU=Development/CN=myca"Add to Your OS keychain/store: I use a mac, so I had to add the cert to my keychain.
sudo security add-trusted-cert -d -r trustRoot -k "/Library/Keychains/System.keychain" myca.crtSet the domain in bash: Makes it easier to work with later.
export DOMAIN=mysite.comexport ROOT_CERT=myca.crtexport CA_KEY=myca.keyCreate a Subject Alternative Names (SAN) configuration file:
Use the below as a template and save as san.cnf. This configuration will be used to generate a certificate for
mysite, *.mysite subdomains, and localhost.
cat > "san.cnf" <<-EOF[ req ]default_bits = 4096distinguished_name = req_distinguished_nameattributes = req_attributesprompt = no
# The extensions to add to a certificate request - see [ v3_req ]req_extensions = v3_req
[ req_distinguished_name ]countryName= USstateOrProvinceName= EarthlocalityName= HomeorganizationName= DevelopmentorganizationalUnitName= DevelopmentcommonName= $DOMAIN
[ req_attributes ]# None
[ v3_req ]
# X509v3 extensions to add to a certificate request# See x509v3_config
# What the key can/cannot be used for:basicConstraints = CA:FALSEkeyUsage = nonRepudiation, digitalSignature, keyEnciphermentextendedKeyUsage = clientAuth,serverAuth
# The subjectAltName is where you give the names of extra web sites.# You may have more than one of these, so put in the section [ alt_names ]# If you do not have any extra names, comment the next line out.subjectAltName = @alt_names
# List of all the other DNS names that the certificate should work for.# alt_names is a name of my own invention[ alt_names ]DNS.1 = $DOMAINDNS.2 = *.$DOMAINDNS.3 = localhostEOFCreate a private key for the certificate: This is a different key from the Certificate Authority.
openssl genrsa -out "$DOMAIN.key" 4096Create a Certificate Signing Request (CSR):
openssl req -new -key "$DOMAIN.key" -config "san.cnf" -out "$DOMAIN.csr"Create that X.509v3 extensions file (${DOMAIN}.ext):
cat > "$DOMAIN.ext" <<-EOFauthorityKeyIdentifier=keyid,issuerbasicConstraints=CA:FALSEkeyUsage = digitalSignature, nonRepudiation, keyEncipherment, dataEnciphermentextendedKeyUsage = serverAuthsubjectAltName = @alt_names
[alt_names]DNS.1 = $DOMAINDNS.2 = *.$DOMAINDNS.3 = localhostEOFSign your certificate:
openssl x509 -req -sha512 -CAcreateserial -days 36500 \-extfile "$DOMAIN.ext" \-CA "$ROOT_CERT" \-CAkey "$CA_KEY" \-in "$DOMAIN.csr" \-out "$DOMAIN.crt"Generate a PEM formatted certificate:
This might prove useful sometimes, though it’s optional.
openssl x509 -inform PEM -in "$DOMAIN.crt" -out "$DOMAIN.cert"You can check out the set of scripts that make this much easier at https://gitlab.com/anton.kronaj/certgen
Cheers,
Anton
Originally published on Medium: Create Certificates for Local HTTPS Development
A step-by-step guide on how to set up wildcard DNS using dnsmasq on macOS, allowing developers to use meaningful local development URLs like couchbase.localdev.me instead of localhost. The setup process includes installing dnsmasq, configuring it, creating a DNS resolver, and verifying the configuration, making local development cleaner and more efficient.
2 min readA concise guide on configuring a local development proxy using Docker and NginX Proxy Manager, detailing setup steps, service routing, and benefits for managing multi‑service environments.
3 min readBuilding an MCP server for ResuRank taught me more about macOS code signing and stdout than I bargained for. This is a walkthrough of what broke — DXT distribution killed by Apple's Library Validation, pdf.js corrupting the JSON-RPC channel — and the practical decisions that followed.
7 min read