About Daplie: We're taking back the Internet!

Down with Google, Apple, and Facebook!

We're re-decentralizing the web and making it read-write again - one home cloud system at a time.

Tired of serving the Empire? Come join the Rebel Alliance:

jobs@daplie.com | Invest in Daplie on Wefunder | Pre-order Cloud, The World's First Home Server for Everyone

HTTPS certs for localhost development

HTTPS certificates for localhost.daplie.me and similar domains, free for anyone to use in testing and development.

Includes:

localhost.daplie.me
localhost.foo.daplie.me
localhost.bar.daplie.me
localhost.baz.daplie.me
localhost.alpha.daplie.me
localhost.beta.daplie.me
localhost.gamma.daplie.me

Use with any webserver

git clone https://git.daplie.com/Daplie/localhost.daplie.me-certificates.git

The relevant fullchain.pem and privkey.pem are probably all you need to plug into the configuration of your webserver.

localhost.daplie.me-certificates/certs
├── localhost.daplie.me
│   ├── cert.pem
│   ├── chain.pem
│   ├── fullchain.pem
│   └── privkey.pem
├── www.localhost.daplie.me
├── api.localhost.daplie.me
├── assets.localhost.daplie.me
├── cloud.localhost.daplie.me
├── api.cloud.localhost.daplie.me

├── foo.localhost.daplie.me
├── bar.localhost.daplie.me
├── baz.localhost.daplie.me

├── alpha.localhost.daplie.me
├── beta.localhost.daplie.me
├── gamma.localhost.daplie.me

├── localhost.foo.daplie.me
├── localhost.bar.daplie.me
├── localhost.baz.daplie.me

├── localhost.alpha.daplie.me
├── localhost.beta.daplie.me
└── localhost.gamma.daplie.me

node.js

// use our defaults with SNICallback already enabled for these domains
var httpsOptions = require('localhost.daplie.me-certificates').merge({});

// or create you own
var tlsContexts = require('localhost.daplie.me-certificates').getAllTlsContexts({});
var httpsOptions = {
  key: tlsContexts['localhost.daplie.me'].key
, cert: tlsContexts['localhost.daplie.me'].cert
, httpsOptions.SNICallback = function (servername, cb) {
    if (tlsContexts[servername]) {
      cb(null, tlsContexts[servername]);
      return;
    }
    cb(null, tlsContexts['localhost.daplie.me']);
  }
};

For the sake of keywords: most people (including myself) think of these as "SSL certificates" but they are, in fact, signed RSA keypairs used for TLS encryption.

Install

# for use with any webserver 
git clone https://git.daplie.com/Daplie/localhost.daplie.me-certificates.git ./certs
 
# as a node.js library 
npm install --save localhost.daplie.me-certificates
 
# a quick and easy https server 
npm install -g serve-https

├── privkey.pem           # private key in PEM format
├── cert.pem              # site certificate only
├── chain.pem             # intermetiate certificate only
└── fullchain.pem         # cert.pem + chain.pem

Usage

QuickStart

With bash

# serve https://localhost.daplie.me from current directory 
serve-https
 
# serve from another directory and with an express app 
serve-https -d /path/to/public/ --express-app /path/to/app.js

With https

var https = require('https');
var httpsOptions = require('localhost.daplie.me-certificates').merge({});
var server = https.createServer(httpsOptions, function (req, res) {
  res.end("Hello, World!");
});
 
server.listen(443, function () {
  console.log("Ready and listening at");
  console.log("https://localhost.daplie.me:443/");
});

Or with tls.createSecureContext:

var tls = require('tls');
var httpsOptions = require('localhost.daplie.me-certificates').mergeTlsOptions('localhost.daplie.me', {});
var tlsContext = tls.createSecureContext(httpsOptions);

API

merge(opts) will merge our defaults into your opts object (preferring options you have set)
create(opts) will create a new object with our defaults and your opts (preferring your options if both are set)
mergeTlsOptions(servername, opts) will merge keys for the specified servername into your opts object
getAllTlsContexts(opts) will get or create cache of contexts for all available *.daplie.me testing domains
getTlsContext(servername, opts) will get or create cache for specified <servername>.daplie.me testing domain

Our defaults:

{
  key: '<<privkey.pem>>'
, cert: '<<cert.pem + chain.pem>>'            // for localhost.daplie.me
, ca: undefined
, crl: undefined
, requestCert: false
, rejectUnauthorized: true
, SNICallback: function (domainname, cb) {
    cb(null, secureContext);
  }
  , NPNProtocols: ['http/1.1']
}

Public Suffix List

Note that daplie.me has been included in the Public Suffix List and that localhost.daplie.me has been submitted

This means that security policies around Cookies, LocalStorage, etc will treat daplie.me as if it were a tld (foo.daplie.me has the same security policy as foo.com) and that localhost.daplie.me will also be treated as a tld, if included.

Your Own Localhost Certs

Install the tools

npm install -g daplie-tools
npm install -g serve-https

daplie domains:search

Set the domain to localhost

# for example: if you registered foo.daplie.me and wanted to use localhost.foo.daplie.me
daplie domains:attach -n localhost.foo.daplie.me -d localhost

Start a greenlock / letsencrypt / ACME enabled server

serve-https -d /tmp --email john.doe@example.com --agree-tos --servername localhost.foo.daplie.me

Test the domain

curl https://localhost.foo.daplie.me:8443

The certificates will be available in the letsencrypt directory

~/letsencrypt/etc/live/localhost.daplie.me/
├── cert.pem
├── chain.pem
├── fullchain.pem
└── privkey.pem

Sometimes the very first time you try you get a SERVFAIL for the dns-01 challenge. If that happens it's probably just a DNS caching issue. Wait about 5 minutes (600 seconds) and try again.

Manual Setup

If you've done this kind of thing before:

git clone https://git.daplie.com/Daplie/localhost.daplie.me-certificates.git ./certs

Misnomer Alert: Most webservers and software call for a keypair consisting of server.crt and server.key. In most cases these actually correspond to fullchain.pem (crt) and privkey.pem (key).

https://localhost.daplie.me is an alias for https://localhost or https://127.0.0.1.

The benefit of using this certificate for localhost development is that you will have the exact same security policies and APIs available in development as you would have in production.

Let's Encrypt Certificate Conventions

The certificates are named according to the Let's Encrypt conventions:

privkey.pem - the server private key
cert.pem - includes the bare server certficate only
chain.pem - includes intermediate certificates only
fullchain.pem - includes cert.pem and chain.pem
root.pem - (proposed) includes any Root CAs

This convention is still subject to change. See https://github.com/letsencrypt/letsencrypt/issues/608 and https://groups.google.com/a/letsencrypt.org/forum/#!topic/client-dev/jE5uK4lPx5g to follow the conversation.

Screencast + Article

Create a CSR in PEM format for your HTTPS cert

Examine HTTPS Certs with OpenSSL in Terminal

Examples

node.js

Quick and Dirty:

npm install --save-dev localhost.daplie.me-certificates

'use strict';
 
var https = require('https');
var server = https.createServer(require('localhost.daplie.me-certificates').create());
var port = process.argv[2] || 8443;
 
server.on('request', function (req, res) {
  res.end('[' + req.method + ']' + ' ' + req.url);
});
server.listen(port, function () {
  console.log('Listening', server.address());
});

https://localhost.daplie.me:8443/

DIY

Instead of simply requiring localhost.daplie.me-certificates you will clone the certs yourself and provide the options object.

git clone https://git.daplie.com/Daplie/localhost.daplie.me-certificates.git ./certs

var fs = require('fs');
var path = require('path');
var certsPath = path.join(__dirname, 'certs');
 
//
// SSL Certificates
//
var options = {
  key: fs.readFileSync(path.join(certsPath, 'privkey.pem'), 'ascii')
, cert: fs.readFileSync(path.join(certsPath, 'fullchain.pem'), 'ascii')
/*
  // only for verification
, ca: [
    fs.readFileSync(path.join(certsPath, 'root.pem'))
  ]
, requestCert: true
*/
, rejectUnauthorized: true
, SNICallback: function (domainname, cb) {
    // normally we would check the domainname choose the correct certificate,
    // but for this demo we'll always use this one (the default) instead
    cb(null, require('tls').createSecureContext(options));
  }
, NPNProtcols: ['http/1.1']
};
 
var server = https.createServer(options);

Caddy

TODO

How this was created

I created a directory ~/Code/localhost.daplie.me-certificates (this repository, actually) and ran the following commands from that directory:

01 Create a Private Key

01-create-key.sh:

mkdir -p certs/server
openssl genrsa \
  -out certs/server/privkey.pem \
  2048

02 Create a Certificate Signing Request (CSR)

02-create-csr.sh:

mkdir -p certs/tmp
openssl req -new \
  -sha256 \
  -key certs/server/privkey.pem \
  -out certs/tmp/csr.pem \
  -subj "/C=US/ST=Utah/L=Provo/O=Daplie Inc/CN=localhost.daplie.me"

03 Copy and Paste the CSR to name.com's console

cat certs/tmp/csr.pem:

04 Follow Validation Procedure

I bought the domain on name.com so I could have used the automatic validation process, but since I have my GLUE records and DNS management for the daplie.com DNS elsewhere and I didn't want to go through the hassle of the validation records, I used the registered admin email address (which I happened to already have setup through mailgun).

This is the email I got:

ORDER APPROVAL

Dear Domain Administrator,

You are receiving this email because you are the Domain Administrator for localhost.daplie.me and the person identified below has requested a RapidSSL certificate for:

localhost.daplie.me


Applicant Information:
     Name:   AJ ONeal
     Email:  coolaj86@gmail.com
     Phone:  +1.3175556525

AJ ONeal requests that you come to the URL below to review and approve this certificate request:

     https://products.geotrust.com/orders/A.do?p=Ac8lMXMpxHsbZVlWJwBcF

Please follow the above link and click either the I APPROVE or I DO NOT APPROVE button.

When you click I APPROVE the certificate will be issued and emailed to the Applicant, Approver, and Technical contacts.

If you click I DO NOT APPROVE the certificate application will be cancelled.

Thanks,

RapidSSL Customer Support
http://www.rapidssl.com/support
Hours of Operation: Mon - Fri 09:00 - 17:00 (EST)
Email:     orderprocessing@rapidssl.com
Live Chat: https://knowledge.rapidssl.com/support/ssl-certificate-support/index.html

And once I clicked the link, this was the confirmation email I got back:

Dear AJ ONeal,

Congratulations! RapidSSL has approved your request for a RapidSSL certificate. Your certificate is included at the end of this email.

INSTALLATION INSTRUCTIONS

1. INSTALL CERTIFICATE:
Install the X.509 version of your certificate included at the end of this e-mail.
For installation instructions for your SSL Certificate, go to:
https://knowledge.rapidssl.com/support/ssl-certificate-support/index?page=content&id=SO16226

2. INTERMEDIATE CERTIFICATE ADVISORY:
You MUST install the RapidSSL intermediate Certificate on your server together with your Certificate or it may not operate correctly.

** MICROSOFT IIS and TOMCAT USERS
Microsoft and Tomcat users are advised to download a PKCS #7 formatted certificate from the GeoTrust User Portal:
https://products.geotrust.com/orders/orderinformation/authentication.do. PKCS #7 is the default format used by these vendors during installation and includes the intermediate CA certificate.

You can get your RapidSSL Intermediate Certificates at:
https://knowledge.rapidssl.com/support/ssl-certificate-support/index?page=content&id=AR1548

3. CHECK INSTALLATION:
Ensure you have installed your certificate correctly at:
https://knowledge.rapidssl.com/support/ssl-certificate-support/index?page=content&id=AR1549

4. INSTALL THE RAPIDSSL SITE SEAL:
Additionally, as part of your SSL Certificate Service, you are entitled to display the RapidSSL Site Seal - recognized across the Internet and around the world as a symbol of authenticity, security, and trust - to build consumer confidence in your Web site.

Installation instructions for the RapidSSL Site Seal can be found on the following link:
https://knowledge.rapidssl.com/support/ssl-certificate-support/index?page=content&id=SO14424&actp=LIST&viewlocale=en_US

If you require additional technical support please contact Name.com.

Web Server CERTIFICATE
-----------------

-----BEGIN CERTIFICATE-----
MIIEqzCCA5OgAwIBAgIDBPiXMA0GCSqGSIb3DQEBCwUAMEcxCzAJBgNVBAYTAlVT
MRYwFAYDVQQKEw1HZW9UcnVzdCBJbmMuMSAwHgYDVQQDExdSYXBpZFNTTCBTSEEy
NTYgQ0EgLSBHMzAeFw0xNTA2MDkwOTI3NDJaFw0xNjA2MTEyMDA4MDdaMIGYMRMw
EQYDVQQLEwpHVDcyMjM4NTY5MTEwLwYDVQQLEyhTZWUgd3d3LnJhcGlkc3NsLmNv
bS9yZXNvdXJjZXMvY3BzIChjKTE1MS8wLQYDVQQLEyZEb21haW4gQ29udHJvbCBW
YWxpZGF0ZWQgLSBSYXBpZFNTTChSKTEdMBsGA1UEAxMUbG9jYWxob3N0LmRhcGxp
ZS5jb20wggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCd49Z2PuWyX9qF
lURgq8E0OzMP6szDLutkYBmWsDdnekEw0mAUgmXcrhKcDog8ugDvcVqqOlice8ru
mL9OLMmRG3ObSzLV++2ETgBexpEawSJKj7UpCpw2EJtMFvSPXrHIMhkN4rUkh1Pz
oo7+i4/MVIoDPljPgxPOtFNStECA/3kD2DlkIY/wOlkF8T1lg7A8Q92aVXiyIHmX
ubrHdT4bhr4YRbyvltEB2eA+z4LLyqz+kMKHN1TYhMJUGur/C/Le3sNrhF2veqOC
dPBomTwpWwJ4PPmN0kqeT0N3D1CJVrt4Uj8W9N7fPsguYAehs5e06MCcAT3Dl1Eq
NNEJw/elAgMBAAGjggFMMIIBSDAfBgNVHSMEGDAWgBTDnPP800YINLvORn+gfFvz
4gjLWTBXBggrBgEFBQcBAQRLMEkwHwYIKwYBBQUHMAGGE2h0dHA6Ly9ndi5zeW1j
ZC5jb20wJgYIKwYBBQUHMAKGGmh0dHA6Ly9ndi5zeW1jYi5jb20vZ3YuY3J0MA4G
A1UdDwEB/wQEAwIFoDAdBgNVHSUEFjAUBggrBgEFBQcDAQYIKwYBBQUHAwIwHwYD
VR0RBBgwFoIUbG9jYWxob3N0LmRhcGxpZS5jb20wKwYDVR0fBCQwIjAgoB6gHIYa
aHR0cDovL2d2LnN5bWNiLmNvbS9ndi5jcmwwDAYDVR0TAQH/BAIwADBBBgNVHSAE
OjA4MDYGBmeBDAECATAsMCoGCCsGAQUFBwIBFh5odHRwczovL3d3dy5yYXBpZHNz
bC5jb20vbGVnYWwwDQYJKoZIhvcNAQELBQADggEBAGlPWTo4Z7oS6E5QPVhFr0kH
wdyGqFD3u93Nxa9L2Hfs2UrpJhhrliux/C9mxgk1O1bgVGhVvQNhiTUBSkJaIMCQ
aG5cQPBLV5u+vK+YFJHK8F+C0/vKU/xcEp4Ae1JNkIoXnfdPbGGbIS82HYp2uveD
dtv5/hqIdLfT6TRFZ7IbhCvTR0iYzPRsOB68PSWKHyVcolK2EHIHdo7Zjs/0tEF5
+4g/NKqX7zAMtMwQ9puPxm6M4BDnJjfiicH+4SeaRG72qpV56mHAeEOeIB4WQ61d
QyTmfubJfT/S1IBFfwqLln/Kf3PGyOvoOYocFpkfHvzFrviqljDDIyfVWx7hQpE=
-----END CERTIFICATE-----

05 Create Files from the provided Certificate (and intermediates)

Domain Name

localhost.daplie.me

Server Certificate

cert.pem:

CA Certificates

INTERMEDIATE

intermediate.crt.pem:

ROOT

root.crt.pem:

06 Bundle the certificates (for Caddy et al)

cat server/privkey.pem > privkey.pem
 
cat server/cert.pem > cert.pem
 
cat ca/intermediate.crt.pem > chain.pem
 
cat server/cert.pem ca/intermediate.crt.pem > fullchain.pem
 
cat server/ca.crt.pem > root.pem

Note: The order may be important. It should be from least to greatest authority as seen above.

localhost.daplie.me-certificates

About Daplie: We're taking back the Internet!

HTTPS certs for localhost development

Use with any webserver

node.js

Install

Usage

QuickStart

API

Public Suffix List

Your Own Localhost Certs

Manual Setup

Let's Encrypt Certificate Conventions

Screencast + Article

Examples

node.js

Caddy

How this was created

01 Create a Private Key

02 Create a Certificate Signing Request (CSR)

03 Copy and Paste the CSR to name.com's console

04 Follow Validation Procedure

05 Create Files from the provided Certificate (and intermediates)

Domain Name

Server Certificate

CA Certificates

INTERMEDIATE

ROOT

06 Bundle the certificates (for Caddy et al)

Readme

Keywords

Package Sidebar

Install

Repository

Homepage

Weekly Downloads

Version

License

Last publish

Collaborators

localhost.daplie.me-certificates

About Daplie: We're taking back the Internet!

HTTPS certs for localhost development

Use with any webserver

node.js

Install

Usage

QuickStart

API

Public Suffix List

Your Own Localhost Certs

Manual Setup

Let's Encrypt Certificate Conventions

Screencast + Article

Examples

node.js

Caddy

How this was created

01 Create a Private Key

02 Create a Certificate Signing Request (CSR)

03 Copy and Paste the CSR to name.com's console

04 Follow Validation Procedure

05 Create Files from the provided Certificate (and intermediates)

Domain Name

Server Certificate

CA Certificates

INTERMEDIATE

ROOT

06 Bundle the certificates (for Caddy et al)

Readme

Keywords

Package Sidebar

Install

Repository

Homepage

DownloadsWeekly Downloads

Version

License

Last publish

Collaborators

Weekly Downloads