Installing a Valid Certificate on a Dev Server

I’m building a mobile web app that needs to work offline, and for that I’m using HTML5 standards. This includes having a manifest file with a list of all resources that the app will need. Unfortunately, when accessing the manifest via HTTPS, this is what Safari tells me:

Failed to load resource: The certificate for this server is invalid. You might be connecting to a server that is pretending to be “[yourserver]”, which could put your confidential information at risk.

This means that, although everything works as expected while online, it will not work offline…If I want to access the manifest file via HTTPS, I will need a valid certificate. And I really want to test the combination of offline and HTTPS! :)

The solution seems obvious, right? All I need to do is get a valid certificate for my dev server! Here are 3 ways that will get you there:

Option 1 — Let’s Encrypt

If your server is accessible through the internet and you have a valid DNS, you can get a valid certificate for free! Check the Let’s Encrypt website, where you’ll find detailed instructions on how to generate and install a certificate on your server.

Unfortunately, my server is only available on the internal network, so Let’s Encrypt doesn’t work for me. This leads me to solution #2:

Option 2 — ngrok

ngrok is a software that allows you to expose an internal server to the internet. It’s really easy to setup and use, and once you do, you have the ability to access your application from anywhere, either using HTTP or HTTPS.

On the free version, you get weird URLs like the one in the image (https://05f22db7.ngrok.io), but for $5 a month you can pick your own name.

ngrok, running on a windows box, redirecting that weird URL to localhost:80

This is quite a good option, but I’m guessing IT will get really mad at me if I expose my development machine to the whole world. Which leaves me option #3:

Option 3 — Create your own certificates

If all you want to do is use your development devices to access your server, you can create your own certificates and mark them as “trusted”.

To generate the certificates, I used openssl. Note that IIS can generate self-signed certificates, but you will not be able to mark them as trusted, at least not in iOS…

Step one of generating a certificate is creating your own private key:

openssl genrsa -out private.key 2048

Once that’s done, you can create your self-signed certificate by running the following command (replacing myserver by whatever URL you’ll use to access your server).

openssl req -new -x509 -sha256 -key private.key -out myselfsigned.cer -days 365
-subj /CN=myserver

This will create a certificate that you now can install in your app server. If you’re using apache or nginx these are all the files you need. If you’re using IIS, you’ll need to create a PFX file that you can later import.

openssl pkcs12 -export -out myselfsigned.pfx -inkey private.key
-in myselfsigned.cer

Note that this will enable SSL on your server, but your device will not trust the certificate!

To do this, you need to send the CER file to your device. The simplest way to do this is to just send it by email. You can then click the certificate file and go through the several steps that it takes to accept the certificate.

Below you can find a few screenshots for both iOS and Android. Note that in Android you’ll get a warning when using a self-signed certificate, reminding you that you may be monitored by a 3rd party…

After clicking install a few times on iOS, your certificate will be valid!
In Android you need to name your certificate, and you’ll get a notification warning you of a potential security risk.

Your certificate is now trusted

And that’s it! Following any of these 3 methods, you’ll have a certificate that your device will trust!

Which of these methods do you prefer? Is there any other alternative that we missed? Let me know in the comments! Thanks!