Generate a Self-Signed Certificate

Self-signed vs CA-signed — quick mental model

A CA-signed cert is trusted by every browser by default because the CA (Let's Encrypt, DigiCert, …) is in the browser's root store. A self-signed cert is trusted by NOTHING by default — every visitor sees a "Your connection is not private" warning unless they manually trust it. So self-signed is fine for: (a) you trusting your own dev machine, (b) internal networks where you can push the cert to every device's trust store, (c) automated testing. Bad for: public-facing production sites.

How to use it

1. Open Tools → Certificates → Generate → Self-signed cert.
2. Fill in: Common Name (typically localhost for dev, or the internal hostname), Organisation, Country.
3. Add SANs — at least DNS:localhost and IP:127.0.0.1 for dev work; add specific hostnames or IPs as needed.
4. Set Validity: 365 days is typical for dev; some browsers reject certs longer than 825 days even for self-signed.
5. Pick Key type: ECDSA P-256 (modern, smaller) or RSA 2048 (broader compat).
6. Click Generate. You get a .crt + matching .key. Install them in your dev server / app.

How to trust it on your dev machine

macOS: double-click the .crt → Keychain Access → mark as "Always Trust". Linux: copy to /usr/local/share/ca-certificates/ and run update-ca-certificates. Windows: double-click → Install Certificate → Local Machine → Trusted Root Certification Authorities. Browsers: Chrome / Edge use the system store. Firefox has its own — Settings → Privacy → Certificates → Authorities.

Questions and answers

Related tools

• Generate CSR for a real CA →
• Check certificate expiry →
• TLS certificate inspector →