Generating valid self signed certificates for localhost development

Recently upgraded your Ruby version and had troubles with your self-signed certs, or looking for some simple instructions on creating valid self signed certificates for localhost development? Here are a few tips to get you up and running again.

These days I seem to spend more of my time writing Ruby, Java and  Objective-C apps that connect to the platform. Very often these apps are webapps using remote access providers created on One of the requirements of creating a remote access provider is that you need to specify a callback URL for handling the OAuth "dance". This callback URL must use https for obvious reasons.

I recently had an article published on the Heroku Dev Center describing how to use the Omniauth adapter for handling OAuth from a Rails apps. One of the steps discussed was the need to generate a self-sgined certificate for allowing your local web server to accept https callbacks. As part of that discussion I pointed to some other web resources which stepped you through how to create these certs. Since the publication I have had a number of people contact me for more information on how to create the certificates, and more recently, many people have found their certificates no longer work after upgrading their Ruby environment.

Long story short, more recent versions of Ruby (those greater than 1.8.7) now enforce some stronger security checks, one of which being the correct verification of the common name of your certificate. Whilst I bumped up against this change in Ruby and Rails, I suspect many other languages and web servers will (or do) require valid cnames as part of your certificates. So, here is a brief list of commands you need to create valid certs for local development. Note: I am using openssl on a Mac, but I suspect the Java keytool works very similar.

1. Generate you server key

$ openssl genrsa -des3 -out server.key 1024

You will be prompted for a password for your key. Enter, confirm and continue.


2. Generate your Certificate Signing Request (CSR)

$ openssl req -new -key server.key -out server.csr

You will be prompted again for your key password. Enter the one you created from step 1 above. You can then accept the defaults for all of the prompts you are presented with except the Common Name. This is key, and what makes the enhanced certificate validation happy. Since we are doing local development your common name will be "localhost". 

Common Name (eg, YOUR name) []:localhost


3. Generate your Certificate

Lastly we need to create our certificate. Again, use your key password and you will be all set.

$ openssl x509 -req -days 1024 -in server.csr -signkey server.key -out server.crt


That's it. Simply follow the instructions for setting up your web server to support https and you can use the remote access providers to handle OAuth callbacks.


Leave your comments...

Generating valid self signed certificates for localhost development