Forem: Emily Flias The latest articles on Forem by Emily Flias (@emily-flias). https://forem.com/emily-flias https://media2.dev.to/dynamic/image/width=90,height=90,fit=cover,gravity=auto,format=auto/https:%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Fuser%2Fprofile_image%2F1072045%2Fd6155525-ff86-4677-a0a3-77184d047f92.jpg Forem: Emily Flias https://forem.com/emily-flias en How can I set up SSL on https://localhost/ [Updated 2026] Emily Flias Wed, 26 Apr 2023 09:32:33 +0000 https://forem.com/emily-flias/how-can-i-set-up-ssl-on-localhost-httpslocalhost-3f4g https://forem.com/emily-flias/how-can-i-set-up-ssl-on-localhost-httpslocalhost-3f4g <p>Before we start, it's important to note that SSL certificates are typically issued for domain names, not IP addresses or localhost. <br> To serve <a href="https://localhost.co/" rel="noopener noreferrer">https://localhost/</a> in a way that modern browsers accept (no red warning), you need two things:</p> <ol> <li>A certificate whose <strong>Subject Alternative Name (SAN)</strong> includes <code>localhost</code> (and often <code>127.0.0.1</code> and <code>::1</code>).</li> <li>A way for your OS/browser to <strong>trust</strong> the issuing CA (or the certificate itself).</li> </ol> <p>The most reliable developer workflow is to create a <strong>local, trusted CA</strong> and issue a cert for <code>localhost</code>.</p> <h2> Option A (recommended): <code>mkcert</code> (trusted HTTPS with minimal friction) </h2> <p><code>mkcert</code> creates a local certificate authority (CA), installs it into your system trust store, then issues certs for your local domains.</p> <h3> 1) Install <code>mkcert</code> </h3> <ul> <li> <strong>macOS (Homebrew)</strong>: <code>brew install mkcert</code> </li> <li> <strong>Windows (Chocolatey)</strong>: <code>choco install mkcert</code> </li> <li> <strong>Windows (Scoop)</strong>: <code>scoop bucket add extras &amp;&amp; scoop install mkcert</code> </li> <li> <strong>Linux</strong>: install from your distro packages or the project releases; also ensure <code>nss</code> tooling is installed for Firefox trust integration (varies by distro).</li> </ul> <h3> 2) Create and trust a local CA </h3> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>mkcert <span class="nt">-install</span> </code></pre> </div> <h3> 3) Generate a cert for localhost </h3> <p>Run this where you want the files:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>mkcert localhost 127.0.0.1 ::1 </code></pre> </div> <p>This produces files like:</p> <ul> <li> <code>localhost+2.pem</code> (certificate)</li> <li> <code>localhost+2-key.pem</code> (private key)</li> </ul> <h3> 4) Configure your local server to use the cert </h3> <h4> Node.js (Express or plain HTTPS) </h4> <div class="highlight js-code-highlight"> <pre class="highlight javascript"><code><span class="k">import</span> <span class="nx">https</span> <span class="k">from</span> <span class="dl">"</span><span class="s2">https</span><span class="dl">"</span><span class="p">;</span> <span class="k">import</span> <span class="nx">fs</span> <span class="k">from</span> <span class="dl">"</span><span class="s2">fs</span><span class="dl">"</span><span class="p">;</span> <span class="k">import</span> <span class="nx">app</span> <span class="k">from</span> <span class="dl">"</span><span class="s2">./app.js</span><span class="dl">"</span><span class="p">;</span> <span class="c1">// your Express app</span> <span class="nx">https</span><span class="p">.</span><span class="nf">createServer</span><span class="p">(</span> <span class="p">{</span> <span class="na">key</span><span class="p">:</span> <span class="nx">fs</span><span class="p">.</span><span class="nf">readFileSync</span><span class="p">(</span><span class="dl">"</span><span class="s2">./localhost+2-key.pem</span><span class="dl">"</span><span class="p">),</span> <span class="na">cert</span><span class="p">:</span> <span class="nx">fs</span><span class="p">.</span><span class="nf">readFileSync</span><span class="p">(</span><span class="dl">"</span><span class="s2">./localhost+2.pem</span><span class="dl">"</span><span class="p">),</span> <span class="p">},</span> <span class="nx">app</span> <span class="p">).</span><span class="nf">listen</span><span class="p">(</span><span class="mi">443</span><span class="p">,</span> <span class="p">()</span> <span class="o">=&gt;</span> <span class="nx">console</span><span class="p">.</span><span class="nf">log</span><span class="p">(</span><span class="dl">"</span><span class="s2">HTTPS on https://localhost</span><span class="dl">"</span><span class="p">));</span> </code></pre> </div> <p>If you don’t want root/admin privileges for port 443, use 8443 and browse <code>https://localhost:8443/</code>.</p> <h4> Python (Flask) </h4> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="kn">from</span> <span class="n">flask</span> <span class="kn">import</span> <span class="n">Flask</span> <span class="n">app</span> <span class="o">=</span> <span class="nc">Flask</span><span class="p">(</span><span class="n">__name__</span><span class="p">)</span> <span class="nd">@app.get</span><span class="p">(</span><span class="sh">"</span><span class="s">/</span><span class="sh">"</span><span class="p">)</span> <span class="k">def</span> <span class="nf">hello</span><span class="p">():</span> <span class="k">return</span> <span class="sh">"</span><span class="s">hello</span><span class="sh">"</span> <span class="k">if</span> <span class="n">__name__</span> <span class="o">==</span> <span class="sh">"</span><span class="s">__main__</span><span class="sh">"</span><span class="p">:</span> <span class="n">app</span><span class="p">.</span><span class="nf">run</span><span class="p">(</span><span class="n">ssl_context</span><span class="o">=</span><span class="p">(</span><span class="sh">"</span><span class="s">localhost+2.pem</span><span class="sh">"</span><span class="p">,</span> <span class="sh">"</span><span class="s">localhost+2-key.pem</span><span class="sh">"</span><span class="p">),</span> <span class="n">port</span><span class="o">=</span><span class="mi">8443</span><span class="p">)</span> </code></pre> </div> <h4> Uvicorn / FastAPI </h4> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>uvicorn main:app <span class="nt">--host</span> 127.0.0.1 <span class="nt">--port</span> 8443 <span class="se">\</span> <span class="nt">--ssl-keyfile</span> localhost+2-key.pem <span class="nt">--ssl-certfile</span> localhost+2.pem </code></pre> </div> <h4> Nginx (reverse proxy) </h4> <div class="highlight js-code-highlight"> <pre class="highlight nginx"><code><span class="k">server</span> <span class="p">{</span> <span class="kn">listen</span> <span class="mi">443</span> <span class="s">ssl</span><span class="p">;</span> <span class="kn">server_name</span> <span class="s">localhost</span><span class="p">;</span> <span class="kn">ssl_certificate</span> <span class="n">/path/to/localhost+2.pem</span><span class="p">;</span> <span class="kn">ssl_certificate_key</span> <span class="n">/path/to/localhost+2-key.pem</span><span class="p">;</span> <span class="kn">location</span> <span class="n">/</span> <span class="p">{</span> <span class="kn">proxy_pass</span> <span class="s">http://127.0.0.1:3000</span><span class="p">;</span> <span class="p">}</span> <span class="p">}</span> </code></pre> </div> <h2> Option B: Caddy (very convenient local HTTPS) </h2> <p>Caddy can generate and manage a local CA automatically and serve HTTPS locally with minimal configuration.</p> <p>Example <code>Caddyfile</code>:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>localhost { reverse_proxy 127.0.0.1:3000 } </code></pre> </div> <p>Run Caddy and it will handle certs for you (you may need to trust Caddy’s local CA depending on platform prompts).</p> <h2> Option C: OpenSSL self-signed cert (works, but browsers will warn) </h2> <p>This is quick, but you’ll typically see a browser warning unless you manually trust the cert/CA.</p> <p>Modern browsers require SAN, so use an OpenSSL config:</p> <ol> <li>Create <code>localhost.cnf</code>: </li> </ol> <div class="highlight js-code-highlight"> <pre class="highlight ini"><code><span class="nn">[req]</span> <span class="py">default_bits</span> <span class="p">=</span> <span class="s">2048</span> <span class="py">prompt</span> <span class="p">=</span> <span class="s">no</span> <span class="py">default_md</span> <span class="p">=</span> <span class="s">sha256</span> <span class="py">x509_extensions</span> <span class="p">=</span> <span class="s">v3_req</span> <span class="py">distinguished_name</span> <span class="p">=</span> <span class="s">dn</span> <span class="nn">[dn]</span> <span class="py">CN</span> <span class="p">=</span> <span class="s">localhost</span> <span class="nn">[v3_req]</span> <span class="py">subjectAltName</span> <span class="p">=</span> <span class="s">@alt_names</span> <span class="nn">[alt_names]</span> <span class="py">DNS.1</span> <span class="p">=</span> <span class="s">localhost</span> <span class="py">IP.1</span> <span class="p">=</span> <span class="s">127.0.0.1</span> <span class="py">IP.2</span> <span class="p">=</span> <span class="s">::1</span> </code></pre> </div> <ol> <li>Generate cert + key: </li> </ol> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>openssl req <span class="nt">-x509</span> <span class="nt">-nodes</span> <span class="nt">-days</span> 825 <span class="nt">-newkey</span> rsa:2048 <span class="se">\</span> <span class="nt">-keyout</span> localhost.key <span class="nt">-out</span> localhost.crt <span class="nt">-config</span> localhost.cnf </code></pre> </div> <p>Then point your server to <code>localhost.crt</code> / <code>localhost.key</code>.</p> <p>If you want no warnings, you must add trust manually (varies by OS/browser) or create a local CA and trust it (which is effectively what <code>mkcert</code> automates).</p> <p>Posted on 02 January 2026</p> <ul> <li> <strong>“Certificate not valid for this host”</strong>: your cert is missing SAN entries for <code>localhost</code> or <code>127.0.0.1</code>.</li> <li> <strong>Chrome/Edge caching/HSTS</strong>: if you previously forced HTTPS or hit a bad cert, you may need to clear HSTS for <code>localhost</code> (or use a different hostname like <code>myapp.local</code>).</li> <li> <strong>Firefox trust differs</strong>: on some systems Firefox uses its own store; <code>mkcert -install</code> usually handles this if the right NSS tooling is present.</li> <li> <strong>Port 443 permissions</strong>: on macOS/Linux, binding to 443 may require admin/root; use 8443 or a reverse proxy that listens on 443.</li> <li> <strong>Containers</strong>: if your server runs in Docker, mount the cert/key into the container and reference those paths; trust is still on the host/browser side.</li> </ul> <h2> Practical recommendation </h2> <p>If your goal is simply “make <code>https://localhost/</code> work cleanly in a browser,” use <strong>mkcert</strong> and run your dev server on <strong>8443</strong> (or use a reverse proxy to 443). It’s the fastest path to a trusted cert with correct SANs.</p> <p>If you tell me what stack you’re using (Node/Express, Vite, Next.js, Django, Nginx, IIS, Docker, etc.), I can give the exact config snippet for that specific server.</p> webdev php localhost ssl