9

Is there anywhere that I can get a valid , signed, SSL cert to the "localhost" domain for testing? Does anyone anywhere offer a download of something like this that I can use in testing? I know how to use openssl to sign a key with a CA, but there are a lot of steps involved and I am hoping there is something quick and easy.

What I want is a canned test CA that I can import into my trusted CA stores and then a accompanying jks keystore that has the cert chain in it for that CA.

So, it would be a 3 step process, within a protected sandbox :

   1.  Get a new distro of Jetty, enable the SSL connector, point it to 
       the localhost.jks keystore
   2.  Import the CA that signed the localhost cert in the localhost.jks 
       into my web browser
   3.  Browse to Tomcat on the SSL port , look at the cert and see the 
       cert chain.
djangofan
  • 4,172
  • 10
  • 45
  • 59
  • Why not just use and trust a self-signed? – Shane Madden Oct 21 '11 at 17:06
  • 1
    Write your own shell script to do it, for e.g: https://gist.github.com/1121067 – quanta Oct 21 '11 at 17:07
  • @Shane Madden - since i test all the time with different JVMs and different browsers, i'd rather not have to import the trusted certificate over and over again all the time. the utopian idea would be to have a cert that belongs to one of the pre-trusted CAs. – djangofan Oct 21 '11 at 17:20

3 Answers3

4

I have a really hard time believing that exists, since it's against the nature of SSL.

The CA's that are in your root-certificate list are companies who we've given our trust to. Their job is to verify that the ones who own the certificate are the ones they claim to be. Giving a localhost-certificate to anyone like this, would break this concept. Even for testing.

Kvisle
  • 4,113
  • 23
  • 25
  • 1
    Thats what I suspect also, but still hoping for a hail-mary answer. Otherwise I am going to have to take the time to create a script, setup openssl, get it all working, etc. – djangofan Oct 21 '11 at 17:21
  • 2
    It's not that big of a job, you just have to create a self-signed certificate, which is the same thing minus the verification process + creating the ca certificates ... and then also import that ca-certificate to your list of trusted ca's. – Kvisle Oct 21 '11 at 17:25
  • 1
    It sounds like you might give our current "trusted" CA:s a bit more credit than they deserve - https://www.eff.org/deeplinks/2011/04/unqualified-names-ssl-observatory – andol Oct 21 '11 at 19:53
  • @andol My claim isn't that the concept is perfect. My claim is that the concept is what it is. SSL is a broken system, and you have to be aware that trusting the identities of the SSL-certificates mean trusting the Certificate Authority. I don't say they can be trusted. However, if one want to create spoofed certificates - phishing localhost isn't the most interesting target. – Kvisle Oct 21 '11 at 20:14
  • 2
    This actually exists, see http://readme.localtest.me/ – likeitlikeit May 06 '13 at 15:40
  • @likeitlikeit Thanks for the link! Nice to see a real history of someone trying this. Seems like I could do the same thing with my own CA. – djangofan Aug 17 '15 at 14:52
  • No longer works for this. – ZzZombo Oct 11 '17 at 05:50
1

The localtest.me cert seems to be no longer available, but see https://github.com/Daplie/localhost.daplie.com-certificates. It's not a wildcard cert though.

tuomassalo
  • 738
  • 2
  • 8
  • 22
0

Free SSL certs via Greenlock / Let's Encrypt

If you set the A record for localhost.YOURSITE.com to 127.0.0.1 (or just edit your hosts file) you can go to https://greenlock.domains and get a free 90-day HTTPS certificate that's issued via Let's Encrypt.

You'll need to choose DNS verification instead of the default HTTP file upload and you'll need to set a TXT record to prove domain ownership.

Programmatic Renewal via node.js

If you're familiar with node.js you can use Greenlock.js to create an automated solution that works with your keystores.

Other solutions

There's also stuff like certbot, caddy, ZeroSSL, and a number of other solutions that integrate with Let's Encrypt as well.

coolaj86
  • 911
  • 2
  • 10
  • 19