Secure Your Local Development: Generate HTTPS Certificates for .test or .internal Domains

Posted bytimdinh Leave a comment on Secure Your Local Development: Generate HTTPS Certificates for .test or .internal Domains

In today’s web development landscape, HTTPS isn’t just for production—it’s a necessity for local development and testing. Modern browsers enforce strict security policies, and features like authentication cookies or service workers require HTTPS even during development. Using localhost works, but it often comes with hidden restrictions. Instead, adopting a dedicated local development domain (like .test or .internal) with HTTPS ensures a production-like environment and avoids browser quirks. Here’s how to set it up.

Why HTTPS Matters in Development

  1. Browser Requirements : Features like secure cookies, geolocation, or service workers often require HTTPS, even locally.
  2. Real-World Parity : Developing with HTTPS mirrors production environments, reducing deployment surprises.
  3. Security Compliance : Authentication cookies marked Secure won’t work over HTTP, breaking login flows during testing.

Avoid These Domains :

  • .dev and .app : Owned by Google, these enforce HTTPS via HSTS preloading. Self-signed certs will fail.
  • .local : Reserved for multicast DNS (mDNS) and treated as non-standard by browsers like Safari.

Use These Instead :

  • .test and .internal : Reserved by RFC 6762 for local testing. No risk of colliding with real domains.

How to generate a new key and certificate

openssl req -x509 -nodes -newkey rsa:2048 -keyout local.test.key -out local.test.crt -config openssl_test.cnf -extensions v3_req -days 9999

Ensure you create openssl_test.cnf file with the content below

[req]
distinguished_name = req_distinguished_name
req_extensions = v3_req
prompt = no

[req_distinguished_name]
CN = local.test

[v3_req]
basicConstraints = CA:FALSE
keyUsage = nonRepudiation, digitalSignature, keyEncipherment
subjectAltName = @alt_names

[alt_names]
DNS.1 = local.test
DNS.2 = *.local.test

The above will create a key and a wild card certificate.

Add the certificate above to your operating system’s trust store

MacOS

1. Open Keychain Access.

2. Drag local.test.crt into the System keychain.

3. Double-click the certificate → Expand Trust → Set When using this certificate to Always Trust. <- important

Windows

1. Double-click local.test.crt.

2. Go to Install Certificate → Local Machine → Place all certificates in the following store → Trusted Root Certification Authorities.

Linux

# Copy the certificate to the trusted store
sudo cp local.test.crt /usr/local/share/ca-certificates/
sudo update-ca-certificates

Add the certificate above to your operating system’s trust store

For dotnet app, add this to appsettingsDevelopment.json

 "Kestrel": {
    "Endpoints": {
      "Https": {
        "Url": "https://your-app-name.local.test:5033", 
        "Certificate": {
          "Path": "/path/to/local.test.crt",
          "KeyPath": "/path/to/local.test.key"
        }
      }
    }
  }

Resolving domain name

Add the line below to you OS hosts file

127.0.0.1   your-app-name.local.test

hosts file on MacOS is at /etc/hosts

Important

Do not expose .key file as may compromised your system

Leave a comment

Your email address will not be published. Required fields are marked *