One of the best ideas for the security of anything is SSL/TLS certificate. The thinking direction for protecting the localhost environment with an SSL/TLS certificate should be right and perfect. This will apply in both the situation whether localhost is used for local development or for distribution of the native application. SSL certificate helps to remove the Not Secure message from the address bar and users will trust the site more confidently.
In 2015, certificate authorities (CAs) stop issuing the localhost SSL certificate because nobody is the owner of the localhost and it will not show its roots to the top-level domains (TLD) such as “.com” or “.org”. The process of getting a general SSL certificate and localhost SSL certificate is not the same for the website.
It is possible for buying the SSL certificate in the working of the localhost. This SSL certificate can work for the localhost but it may neither verify by the SSL certificate nor issued by the certificate authority (CA).
Some of the following prerequisites are:
Step 1: Create a CA Certificate
The third-party companies generally sign the SSL certificate which is known as Certificate Authority (CA). They are the highly trusted issuers of the SSL certificate on the internet and do their job with proper diligence and complete full verification before issuing the certificate. No one owns the localhost that is why CA does not issue any localhost certificate. Use the below commands for generating the root CA certificate:
$ mkdir cert
$ cd cert
$ mkdir CA
$ cd CA
$ opensslgenrsa –out CA.key –des3 2048
A private key will generate with the above commands and a simple paraphrase is requested for the key. The user will first enter the paraphrase and again re-enter it for further confirmation. The root CA certificate will be generated after using the key and it is valid for up to 10 years. The command mentioned below need to be run for doing the above process:
$ opensslreq –x509 –sha256 –new –nodes –days 3650 –key CA.key –out CA.pem
Step 2: Creating a Certificate
After creating a CA key and certificate, it becomes possible to sign an SSL certificate. Create a new directory in the cert/CA directory file which is named localhost. Create a new file named localhost.ext under the localhost directory.
$ mkdir localhost
$ cd localhost
$ touch localhost.ext
All the information mentioned in the signed SSL certificate is present in the localhost.ext file. This certificate will work for the localhost and also 127.0.0.1. More domains or IP addresses can be added to this file. Next is key generation which can be used to generate a CSR (Certificate Signing request) by using the command mentioned below:
$ opensslgenrsa –out localhost.key –des3 2048
The localhost private key generates a command which will paraphrase the request for the key. A new CSR will be created by using the key. CSR can be generated by using the below command:
$ opensslreq –new –key localhost.key –out localhost.csr
Step 3: Generate a Node.js Express Server
Creating a Node.js express server is required to check to work of the snippets and output success messages. Initialize the Node.js project by going back to the cert directory and also add express and HTTPS packages by using some commands:
$ npminit –y
$ npm i express HTTPS
$ touch index.js
Step 4: Browser and API Client Testing
Try the link in the Firefox https://localhost:3000 for serving up the server on the SSL certificate. The CA is not trusted by Firefox even after localhost signing with SSL and inspection completion. This is the right decision because CA cannot be trusted.
Step 5: Importing CA Certificate to the Browser
It is needed to import the CA certificate on which the browser is trusted. Go to Mozilla Firefox, select Options, and click on the Privacy and Security option. After that select View Certificates to check the files. Click OK on the browser and trust CA and certificate.