create a trusted self-signed SSL cert for localhost for use with Express Node

Question

Trying to follow various instructions on creating a self-signed cert for use with localhost   Most of the instructions seem to be for IIS  but I m trying to use Nodejs Express    None of them work properly because while the cert gets installed  it is not trusted   here s what I ve tried that fails    How can I create a self-signed cert for localhost  https   www digitalocean com community articles how-to-create-a-ssl-certificate-on-nginx-for-ubuntu-12-04  http   blogs developerforce com developer-relations 2011 05 generating-valid-self-signed-certificates html http   www robbagby com iis self-signed-certificates-on-iis-7-the-easy-way-and-the-most-effective-way    Can someone offer a workflow that can do this    I can get a cert installed  but I can t get the cert to be trusted in either chrome  v32  or IE  v10       EDIT  it was suggested in comments that the problem is no trusted cert-root   I installed the cert via IE but it s still not being trusted

User · Answer

Go to  chrome   flags   Enable  Allow invalid certificates for resources loaded from localhost   You don t have the green security  but you are always allowed for https   localhost in chrome

User · Answer

If you need to go a step further than  alon s detailed steps and also create a self signed ca   https createServer     key  fs readFileSync NODE SSL KEY     cert  fs readFileSync NODE SSL CERT     ca  fs readFileSync NODE SSL CA      app  listen PORT       gt         package json   setup https    openssl genrsa -out src server ssl localhost key 2048  amp  amp  openssl req -new -x509 -key src server ssl localhost key -out src server ssl localhost crt -config src server ssl localhost cnf  amp  amp  openssl req -new -out src server ssl localhost csr -config src server ssl localhost cnf  amp  amp  openssl x509 -req -in src server ssl localhost csr -CA src server ssl localhost crt -CAkey src server ssl localhost key -CAcreateserial -out src server ssl ca crt     Using the localhost cnf as described    req  distinguished name   req distinguished name x509 extensions   v3 req prompt   no  req distinguished name  C   UK ST   State L   Location O   Organization Name OU   Organizational Unit  CN   www localhost com  v3 req  keyUsage   critical  digitalSignature  keyAgreement extendedKeyUsage   serverAuth subjectAltName    alt names  alt names  DNS 1   www localhost com DNS 2   localhost com DNS 3   localhost

User · Answer

The answers above were partial  I ve spent so much time getting this working  it s insane  Note to my future self  here is what you need to do    I m working on Windows 10  with Chrome 65  Firefox is behaving nicely - just confirm localhost as a security exception and it will work  Chrome doesn t   Step 1  in your backend  create a folder called security  we will work inside it   Step 2  create a request config file named req cnf with the following content  credit goes to   Anshul   req cnf     req  distinguished name   req distinguished name x509 extensions   v3 req prompt   no  req distinguished name  C   Country initials like US  RO  GE ST   State L   Location O   Organization Name OU   Organizational Unit  CN   www localhost com  v3 req  keyUsage   critical  digitalSignature  keyAgreement extendedKeyUsage   serverAuth subjectAltName    alt names  alt names  DNS 1   www localhost com DNS 2   localhost com DNS 3   localhost   An explanation of this fields is here   Step 3  navigate to the security folder in the terminal and type the following command    openssl req -x509 -nodes -days 365 -newkey rsa 2048 -keyout cert key -out cert pem -config req cnf -sha256  Step 4  then outside of security folder  in your express app do something like this   credit goes to  Diego Mello   backend    security   server js   server js   const express   require  express   const app   express   const https   require  https   const fs   require  fs   const port   3000  app get       req  res    gt        res send  IT S WORKING        const httpsOptions         key  fs readFileSync    security cert key        cert  fs readFileSync    security cert pem     const server   https createServer httpsOptions  app       listen port       gt            console log  server running at     port           Step 5  start the server  node server js  and go to https   localhost 3000   At this point we have the server setup  But the browser should show a warning message    We need to register our self-signed certificate  as a CA trusted Certificate Authority  in the chrome windows certificates store   chrome also saves this in windows    Step 6  open Dev Tools in chrome  go to Security panel  then click on View Certificate    Step 7  go to Details panel  click Copy File  then when the Certificate Export Wizard appears  click Next as below      Step 8  leave DER encoding  click next  choose Browse  put it on a easy to access folder like Desktop  and name the certificate localhost cer  then click Save and then Finish   You should be able to see your certificate on Desktop   Step 9  Open chrome   settings  by inserting it in the url box  Down below  click on Advanced   Advanced Options  then scroll down to find Manage Certificates     Step 10  Go to Trusted Root Certification Authorities panel  and click import     We will import the localhost cer certificate we just finished exporting in step 8   Step 11  click browse  find the localhost cer  leave the default values click next a bunch of times - until this warning appears  click yes     Step 12  close everything  and restart chrome  Then  when going to https   localhost 3000 you should see

User · Answer

If you re on OSX Chrome you can add the self-signed SSL certificate to your system keychain as explained here  http   www robpeck com 2010 10 google-chrome-mac-os-x-and-self-signed-ssl-certificates  It s a manual process  but I got it working finally  Just make sure the Common Name  CN  is set to  localhost   without the port  and after the certificate is added make sure all the Trust options on the certificate are set to  Always Trust   Also make sure you add it to the  System  keychain and not the  login  keychain

User · Answer

SMH  a lot of hours wasted on this due to lack of proper documentation and not everyone uses IIS    If anyone else is still stuck on this issue I hope this helps  Solution  Trusted Self Signed SSL CERT for localhost on Windows 10 Note  If you only need the SSL cert follow the Certification Creation section Stack  Azure Function App Node js   React js - Windows 10 Certification Creation Step 1 - Create Certificate  OpenPowershell and run the following  New-SelfSignedCertificate -NotBefore  Get-Date  -NotAfter  Get-Date  AddYears 5    -Subject  quot CN localhost quot  -KeyAlgorithm  quot RSA quot  -KeyLength 2048   -HashAlgorithm  quot SHA256 quot  -CertStoreLocation  quot Cert  CurrentUser My quot    -FriendlyName  quot HTTPS Development Certificate quot    -TextExtension    quot 2 5 29 19  text  quot   quot 2 5 29 17  text DNS localhost quot    Step 2 - Copy Certificate  Open Certificate Manager by pressing the windows key and search for  quot manage user certificates quot   Navigate to Personal - gt  Certificates and copy the localhost cert to  Trusted Root Certification Authorities - gt  Certificates Personal - gt  Certificates Trusted Root Certification Authorities - gt  Certificates  Friendly Name will be HTTPS Development Certificate  Step 3  Export Certificate right click cert - gt  All Tasks - gt  Export which will launch the Certificate Export Wizard  Certificate Export Wizard  Click next Select Yes  export the private Key Export private key Select the following format Personal Information Exchange - PKCS  12 and leave the first and last checkboxes selected  Export format Select a password  enter something simple if you like ex   quot 1111 quot  Enter password Save file to a location you will remember ex  Desktop or Sites  you can name the file development pfx  Save file  Step 4  Restart Chrome Azure Function App  Server  - SSL Locally with  PFX In this case we will run an Azure Function App with the SSL cert   copy the exported development pfx file to your azure functions project root from cmd exe run the following to start your functions app func start --useHttps --cert development pfx --password 1111 quot   If you used a different password and filename don t forget to update the values in this script  Update your package json scripts to start your functions app   React App  Client  - Run with local SSL Install openssl locally  this will be used to convert the development pfx to a cert pem and server key  Source - Convert pfx to pem file  open your react app project root and create a cert folder   project-root cert  create a copy of the development pfx file in the cert folder   project-root  cert development pfx  open command prompt from the cert directory and run the following  convert development pfx to cert pem  openssl pkcs12 -in development pfx -out cert pem -nodes extract private key from development pfx to key pem  openssl pkcs12 -in development pfx -nocerts -out key pem remove password from the extracted private key  openssl rsa -in key pem -out server key update your  env development local file by adding the following lines   SSL CRT FILE cert pem SSL KEY FILE server key   start your react app npm start

User · Answer

on windows I made the iis development certificate trusted by using MMC  start   run   mmc   then add the certificate snapin  choosing  local computer  and accepting the defaults  Once that certificate snapip is added expand the local computer certificate tree to look under Personal  select the localhost certificate  right click   all task   export  accept all defaults in the exporting wizard   Once that file is saved  expand trusted certificates and begin to import the cert you just exported  https   localhost is now trusted in chrome having no security warnings   I used this guide resolution  2 from the MSDN blog  the op also shared a link in his question about that also should using MMC but this worked for me  resolution  2

User · Answer

How to generate an SSL certificate for localhost  link  openssl genrsa -des3 -out server key 1024   you need to enter a password here which you need to retype in the  following steps   openssl req -new -key server key -out server csr   when asked  Common Name  type in  localhost  openssl x509 -req -days 1024 -in server csr -signkey server key -out server crt

User · Answer

Some of the answers posted have pieces that were very useful to me to overcome this problem too  However  I was also interested in the minimum number of steps and  ideally  avoiding OpenSSL  on Windows 10    So  one critical piece from the answers  credit   TroyWorks  is that you need to edit your HOSTS file to create a fictitious server  and map that to 127 0 0 1  This assumes you are going to be doing local development   In my case  I was using the SS certificate to secure a websocket in NodeJS  and that socket was being connected to programmatically  as opposed to via browser   So for me  it was critical that the certificate be accepted without warnings or errors  and the critical piece there was to get the cert created with a proper CN  and of course accept the cert into Trusted Authorities  as described elsewhere in the answers   Using IIS to create a self-signed cert won t create the proper CN  so I discovered the following simple command using Powershell   New-SelfSignedCertificate -DnsName  gandalf dummy dev  -FriendlyName  gandalf  -CertStoreLocation  cert  LocalMachine My    This has to be run in the PS Admin console  but it simply works  and puts the cert into the  Personal  section of the LocalMachine certificate store  You can verify it got created by executing   ls cert  LocalMachine My    To trust it  simply copy this and paste into  Trusted Root Certification Authorities  using Certificate Manager  making sure you are looking at the Local Machine certificates  not Current User     If you bind to this certificate in IIS  you should be able to hit https   gandalf dummy dev  and get a secure connection without any warnings   The final piece  using this in NodeJS  is described above and in other SO answers  so I ll only add that on Windows  it is easier to work with a pfx file that combines the cert and private key  You can export a pfx easily from the Certificate Manager  but it does affect how you use it in NodeJS  When instantiating a Server using the  https  module  the options you would use  instead of  key  and  cert   would be  pfx  and  passphrase   as in   var https   require  https    var options          pfx  fs readFileSync  mypfxfile         passphrase   foo      var server   https createServer options

User · Answer

If you re using node  why not generate them with node  This module seems to be pretty full featured    https   github com andris9 pem   Note that I wouldn t generate on the fly  Generate with some kind of build script so you have a consistent certificate and key  Otherwise you ll have to authorize the newly generated self-signed certificate every time

User · Answer

You can try openSSL to generate certificates  Take a look at this   You are going to need a  key and  crt file to add HTTPS to node JS express server  Once you generate this  use this code to add HTTPS to server   var https   require  https    var fs   require  fs    var express   require  express     var options         key  fs readFileSync   etc apache2 ssl server key        cert  fs readFileSync   etc apache2 ssl server crt        requestCert  false      rejectUnauthorized  false      var app   express     var server   https createServer options  app  listen 3000  function        console log  server started at port 3000          This is working fine in my local machine as well as the server where I have deployed this  The one I have in server was bought from goDaddy but localhost had a self signed certificate   However  every browser threw an error saying connection is not trusted  do you want to continue  After I click continue  it worked fine    If anyone has ever bypassed this error with self signed certificate  please enlighten

User · Answer

Shortest way  Tested on MacOS  but may work similarly on other OS   Generate pem   gt  openssl req -x509 -newkey rsa 2048 -keyout keytmp pem -out cert pem -days 365   gt  openssl rsa -in keytmp pem -out key pem   Your express server   const express   require  express   const app   express   const https   require  https   const fs   require  fs   const port   3000  app get       req  res    gt      res send  WORKING        const httpsOptions       key  fs readFileSync    key pem      cert  fs readFileSync    cert pem     const server   https createServer httpsOptions  app  listen port       gt      console log  server running at     port        Open https   localhost 3000 in Google Chrome and you ll see that it s not secure  Yet  In Developer Tools   Security   View Certificate  Drag image to your desktop and double click it  Click  Add  Find it in Keychain Access and double click it Expand  Trust  and change  When using this certificate  to  Always trust   You may be prompted to authenticate  Restart your server  Refresh your browser  Enjoy

User · Answer

There are more aspects to this   You can achieve TLS  some keep saying SSL  with a certificate  self-signed or not   To have a green bar for a self-signed certificate  you also need to become the Certificate Authority  CA   This aspect is missing in most resources I found on my journey to achieve the green bar in my local development setup  Becoming a CA is as easy as creating a certificate   This resource covers the creation of both the CA certificate and a Server certificate and resulted my setup in showing a green bar on localhost Chrome  Firefox and Edge  https   ram k0a1a net self-signed https cert after chrome 58  Please note  in Chrome you need to add the CA Certificate to your trusted authorities

User · Answer

Here s what s working for me  on windows  1  Add this to your  WINDIR  System32 drivers etc hosts file  127 0 0 1 localdev YOURSITE net   cause browser have issues with  localhost   for cross origin scripting   Windows Vista and Windows 7 Vista and Windows 7 use User Account Control  UAC  so Notepad must be run as Administrator    Click Start -  All Programs -  Accessories Right click Notepad and select Run as administrator Click Continue on the  Windows needs your permission  UAC window  When Notepad opens Click File -  Open In the filename field type C  Windows System32 Drivers etc hosts Click Open Add this to your  WINDIR  System32 drivers etc hosts file  127 0 0 1 localdev YOURSITE net Save Close and restart browsers   On Mac or Linux    Open  etc hosts with su permission Add 127 0 0 1 localdev YOURSITE net Save it   When developing you use localdev YOURSITE net instead of localhost  so if you are using  run debug configurations in your ide be sure to update it   Use   YOURSITE net  as cookiedomain  with a dot in the beginning  when creating the cookiem then it should work with all subdomains   2  create the certificate using that localdev url  TIP  If you have issues generating certificates on windows  use a VirtualBox or Vmware machine instead    3  import the certificate as outlined on  http   www charlesproxy com documentation using-charles ssl-certificates

User · Answer

Mkcert from  FiloSottile makes this process infinitely simpler    Install mkcert  there are instructions for macOS Windows Linux mkcert -install to create a local CA mkcert localhost 127 0 0 1   1 to create a trusted cert for localhost in the current directory You re using node  which doesn t use the system root store   so you need to specify the CA explicitly in an environment variable  e g  export NODE EXTRA CA CERTS    mkcert -CAROOT  rootCA pem  Finally run your express server using the setup described in various other answers  e g  below  boom  localhost s swimming in green    Basic node setup   const https   require  https    const fs   require  fs    const express   require  express     const app   express        const server   https createServer       key  fs readFileSync   XXX localhost 2-key pem       where s me key      cert  fs readFileSync   XXX localhost 2 pem       where s me cert      requestCert  false      rejectUnauthorized  false     app  listen 10443      get creative

[node.js] create a trusted self-signed SSL cert for localhost (for use with Express/Node)

Examples related to node.js

Examples related to express

Examples related to openssl

Examples related to localhost

Examples related to ssl-certificate