February 2, 2019

Certificates for localhost

Certificates for localhost

https://letsencrypt.org/docs/certificates-for-localhost/ (2017)

Let’s Encrypt can’t create a certification for localhost because nobody uniquely owns it and it is not rooted in any top level domain. For a development environment, a self-signed certificate could be used for localhost+HTTPS. Have the system trust the certificate would make developer experience better. Minica is a good tool to generate local root certificates.

Most web apps use HTTPS today, and some apps make requests to web services running on the user’s local machine (e.g., Dropbox). However, requesting http://localhost from an HTTPS page causes Mixed Content Blocking. Fortunately, modern browsers treat URLs that start with as “Potentially Trustworthy”. So you can use it for that kind of communication.

You might think that there is another way to avoid the Mixed Content Blocking problem. Setting up a domain name for and generate a certificate for the domain allows the web apps use HTTPS like https://localhost.example.com; Don’t do this. It makes an attacker inject a fake DNS response, and get the copy of the private key of the certificate.

(c) Hibariya Lerche 2018

Powered by Hugo & Kiss.