Self-Signed Certificates: A Quick Guide

TL;DR

Self-signed certificates are useful for testing and internal applications but aren’t trusted by browsers automatically. This guide shows you how to create one, install it in your browser (Chrome/Edge), and understand the warnings you’ll see.

Creating a Self-Signed Certificate

1. Using OpenSSL: If you have OpenSSL installed (common on Linux/macOS; available for Windows), use this command to create a private key and certificate:

   openssl req -x509 -newkey rsa:4096 -nodes -keyout key.pem -out cert.pem -days 365

   You’ll be prompted for information like Country Name, State/Province, Locality, Organisation Name, Common Name (this is usually the domain or IP address of your server), and Email Address. Fill these in accurately.

2. Using PowerShell: On Windows, you can use PowerShell:

   New-SelfSignedCertificate -DnsName "localhost" -CertStoreLocation "cert:LocalMachineMy" -FriendlyName "My Local Certificate" -KeyLength 2048 -Days 365

Installing the Certificate (Chrome/Edge)

1. Locate the Certificate: Find the certificate file you created (e.g., cert.pem or from the PowerShell store).
2. Import into Chrome/Edge:
   • Type chrome://settings/certificates in your browser’s address bar and press Enter.
   • Click on ‘Authorities’.
   • Click ‘Import…’.
   • Select the certificate file you created.
   • Check the box ‘Trust this certificate for identifying websites’. This is important!
   • Click ‘OK’ and then ‘Close’.

Understanding Browser Warnings

Even after installation, you’ll likely see warnings when visiting a site using the self-signed certificate. This is normal.

• ‘Your connection is not private’ / ‘NET::ERR_CERT_AUTHORITY_INVALID’: These messages mean your browser doesn’t trust the certificate authority (because it’s you!).
• Advanced Options: Click on ‘Advanced’ and then ‘Proceed to [website address] (unsafe)’. Only do this if you understand the risks! This bypasses the security warning for that specific site.

Important Considerations

• Not for Production: Self-signed certificates are not suitable for public websites or applications where security is critical. Use a certificate from a trusted Certificate Authority (CA) in those cases.
• Security Risks: Because anyone can create a self-signed certificate, they don’t verify the identity of the server. This makes them vulnerable to man-in-the-middle attacks if not used carefully.
• Browser Differences: The exact steps for importing certificates may vary slightly between browsers (Firefox has different procedures).