Third-Party Signed SSL Certificate for localhost or 127.0.0.1?

Question

Without divulging TOO much information, I need to setup a web server system that is intended to be used by end users all over the internet.

the use case is such tha

Answer 1

localhost

You will never be issued a proper https cert for localhost. It is strictly forbidden. Because reasons.

In short:

• Misconfigured devices actually exist, in the wild, that wait for lookups before resolving localhost from /etc/hosts
• If a router defines localhost.foo.local it may cause localhost to resolve incorrectly (you've probably seen this class of error before)

You can create a root certificate and then create a so-called "self-signed" certificate, signed by the root ca you created. You'll still get the ugly warning screen, but it'll work.

• See https://coolaj86.com/articles/how-to-create-a-csr-for-https-tls-ssl-rsa-pems/

localhost.YOURSITE.com (points to 127.0.0.1)

In lieu of actual localhost certs, I do what Eugene suggests - create a 127.0.0.1 record on a public domain.

You can get free HTTPS certificates for localhost.YOURSITE.com via Let's Encrypt via https://greenlock.domains. Just choose the DNS option instead of the HTTP File Upload option

Point your localhost.MY-SLD.MY-TLD to 127.0.0.1

• Purchase a *.localhost.example.com cert and issue each installation a secret xyz.localhost.example.com (and include it in the public suffix list to prevent attacks on example.com)
• Use a greenlock-enabled app to generate such certificates on the fly (through https://letsencrypt.org) directly on the client (or pass them to the client)

If you do not get included in the PSL note that:

• sessions, localstorage, indexeddb, etc are shared by domain
• changing the port does not change their sharedness

Be Your Own Root Certificate

Update: with things like greenlock that use ACME / Let's Encrypt, this is no longer particularly relevant.

This is probably a really bad idea because we don't want users becoming accustomed to installing Root CAs willy nilly (and we know how that turned out for Lenovo), but for corporate / cloned machines it may be a reasonable low-budget option.