Self Signed SSL: Trusting Certificates

TL;DR

Trusting a self-signed SSL certificate is generally not recommended for production environments due to security risks. However, it’s sometimes necessary for testing or internal tools. This guide explains how to do it safely and the implications.

Understanding Self-Signed Certificates

A self-signed certificate isn’t issued by a trusted Certificate Authority (CA). Your browser/system doesn’t automatically trust it because its authenticity hasn’t been verified. This means you are essentially saying ‘I trust this certificate, even though no one else does’.

How to Trust a Self-Signed Certificate

1. Generate the Certificate: If you haven’t already, create your self-signed certificate. OpenSSL is commonly used:

   openssl req -x509 -newkey rsa:4096 -keyout key.pem -out cert.pem -days 365

   This creates a private key (key.pem) and the certificate itself (cert.pem). Answer the prompts carefully; the ‘Common Name’ should match the hostname you’ll be using.

2. Add to Trust Store (Browser): The process varies by browser:
   • Chrome/Edge:
     1. Go to chrome://settings/certificates.
     2. Click ‘Import’.
     3. Select your cert.pem file.
     4. Check the box ‘Trust this certificate for identifying websites’ (or similar wording).
     5. Restart Chrome/Edge.
   • Firefox:
     1. Go to about:preferences#privacy and scroll down to Certificates.
     2. Click ‘View Certificates’.
     3. Select the ‘Authorities’ tab.
     4. Click ‘Import…’.
     5. Select your cert.pem file.
     6. Check the box ‘Trust this certificate for identifying websites’.
     7. Restart Firefox.
3. Add to Trust Store (Operating System): This is needed for applications outside of browsers.
   • Windows:
     1. Double-click the cert.pem file.
     2. Click ‘Install Certificate…’.
     3. Select ‘Local Machine’ as the store location.
     4. Choose ‘Place all certificates in the following store’.
     5. Browse and select ‘Trusted Root Certification Authorities’.
     6. Complete the wizard.
   • macOS:
     1. Double-click the cert.pem file. Keychain Access will open.
     2. Select the keychain where you want to store it (usually ‘System’).
     3. Find the certificate in Keychain Access.
     4. Double-click the certificate.
     5. Expand ‘Trust’.
     6. Change ‘When using this certificate’ to ‘Always Trust’.
     7. Restart your applications or macOS.
4. Configure Application/Server: Tell your application or server to use the key.pem and cert.pem files.

   For example, in Nginx:

   server {
       listen 443 ssl;
       ssl_certificate /path/to/cert.pem;
       ssl_certificate_key /path/to/key.pem;
   }
   

5. Verify: Access your service via HTTPS (e.g., https://yourhostname). You should no longer see certificate warnings in your browser.

Important Security Considerations

• Never use self-signed certificates for public-facing websites. They are vulnerable to man-in-the-middle attacks.
• For testing only: Self-signed certificates are acceptable in controlled development environments.
• Internal Tools: If using for internal tools, ensure the trust store is properly managed and secured on all client machines.
• Certificate Expiry: Self-signed certificates expire after a set period (e.g., 365 days). Renew them before expiry to avoid disruptions.
• Private Key Security: Protect your key.pem file! Anyone with access to it can impersonate your server.