Self-signed certificate for local HTTPS connection


When setting up an HTTPS server for development purpose, you probably don’t want to buy a certificate. However you still need to run with HTTPS locally to develop/test if your web application works under HTTPS connections. You can create a self-signed certificate for free using OpenSSL.

Generate a private key

This command is to genetate a 4096-bit private key using SHA512 algorithm:

openssl genrsa -out localhost.key 4096 -sha512

-out <filepath> : path of the output file that will contain private key
-sha[number] : the algorithm applies for private key, it can be sha1, sha256, sha512; default value is sha1 if this parameter is missing. sha1 is not recommended because browsers like Chrome will treat it as unsecured.

Generate a Certificate Signing Request (CSR)

A CSR file will contain information about your organization and needs to use the private key. You can include organization details in only one command line, otherwise it will ask you to input manually for each field. The following command generates a CSR file using SHA512 algorithm:

openssl req -new -key localhost.key -out localhost.csr -sha512 -subj “/C=US/ST=State/L=City/O=Your Organization/CN=localhost”

out <filepath> : path of the output fle that will contain a Certificate Signing Request
subj : subject details included in the CSR
/C : two letters of country code
/ST: full name of state
/L: full name of city
/O: full name of your organization
/CN: usually a domain name which you want to install certificate on

Generate the certificate based on the CSR and sign it using the private key

The following commands create a X509 certificate which is valid within 365 days from the creation date and uses SHA-512 algorithm:

openssl x509 -req -days 365 -in localhost.csr -signkey localhost.key -out localhost.crt -fingerprint -sha512

-days <number> : number of days from the creation date that the certificate is still vallid
– in <filepath> : path of the CSR file
– out <filepath> : path of the output certificate file
– fingerprint : to print information of fingerprint to check the algorithm used in this certificate

Now you can install both your private key file and your certificate file to your server.


OpenSSL needs its configuration file. If you’re using Windows build from GnuWin32, you can set the environment variable ‘OPENSSL_CONF’ to  the OpenSSL config file using the following command:

set OPENSSL_CONF=C:\Program Files (x86)\GnuWin32\share\openssl.cnf

The certificate is not signed by a Trusted CA. So it will be treated as not secured by browsers and rejected by Postman. You can import it as a trusted certificate into the certicate store on your machine.

Leave a Reply