TL;DR
Using a certificate with CN=localhost on a server intended for wider deployment is problematic and will cause errors in most browsers. You need a proper, publicly trusted or internally signed certificate that matches your server’s domain name or IP address.
Why CN=localhost Doesn’t Work
Certificates with Common Name (CN) set to localhost are specifically for testing and development environments. Browsers treat them as untrusted because:
- Security Risk: Localhost isn’t a real domain, so it can’t be verified by Certificate Authorities (CAs).
- Browser Restrictions: Modern browsers actively block or warn against connections to CN=localhost unless explicitly configured for testing.
- Not Valid for Production: A certificate tied to localhost won’t match the actual domain name users will use to access your server.
How to Fix It
Here’s a step-by-step guide to get a valid certificate for your server:
1. Choose a Domain Name
- Register a Domain: If you don’t have one, register a domain name (e.g.,
yourdomain.com). - Use an IP Address: Alternatively, use your server’s public IP address if a domain isn’t feasible (though this is less common and can be problematic if the IP changes).
2. Obtain a Certificate
You have several options:
- Let’s Encrypt (Free): A popular choice for free, automatically renewed certificates.
certbot --nginx -d yourdomain.com(This assumes you are using Nginx; adjust the command for your web server.)
- Commercial Certificate Authority: Purchase a certificate from providers like DigiCert, Sectigo, or GlobalSign.
- Internal Certificate Authority (For Internal Networks): If your server is only accessible within your organisation, create an internal CA and issue a certificate. This requires more setup but avoids costs.
3. Install the Certificate
The installation process varies depending on your web server:
- Nginx: Configure your Nginx virtual host file to point to your certificate and key files.
server { listen 443 ssl; server_name yourdomain.com; ssl_certificate /path/to/your_certificate.pem; ssl_certificate_key /path/to/your_private_key.pem; } - Apache: Modify your Apache virtual host configuration to include the certificate and key paths.
<VirtualHost *:443> ServerName yourdomain.com DocumentRoot /var/www/html SSLEngine on SSLCertificateFile /path/to/your_certificate.pem SSLCertificateKeyFile /path/to/your_private_key.pem </VirtualHost>
4. Configure Your Server
- Restart Web Server: Restart your web server (e.g.,
sudo systemctl restart nginxorsudo systemctl restart apache2) to apply the changes. - Firewall: Ensure your firewall allows traffic on port 443 (HTTPS).
5. Test Your Certificate
Use an online SSL checker tool (e.g., SSL Shopper) to verify your certificate installation and configuration.