Generate self-signed SSL/TLS certificates for local development and testing. Includes Subject Alternative Names support
Need a self-signed certificate for local development or internal testing? Generate one here in seconds: set the Common Name, Subject Alternative Names, validity period, and RSA key size, then download the certificate and private key as PEM. Everything is generated locally in your browser with node-forge.
Initializing in your browser…
Generate Certificate Signing Requests (CSR) for SSL/TLS certificates with RSA key pairs. Submit to CAs for certificate issuance
Decode and analyze PEM-encoded X.509 SSL/TLS certificates. View subject, issuer, validity, extensions, and fingerprints
Check if a website has valid SSL/TLS certificate. Verify HTTPS connection and get tools for detailed certificate analysis
You need HTTPS on a local dev box (https://localhost:8443) without paying a CA or fighting an internal PKI.
Inputs
CN localhost · SAN localhost, 127.0.0.1 · Validity 365 days · Key RSA 2048
Cert + key (PEM)
-----BEGIN CERTIFICATE----- (server.crt, self-signed) -----BEGIN PRIVATE KEY----- (server.key, load into your dev server) Note: browsers will warn "not trusted" until you add this cert to your OS/browser trust store, expected for self-signed.
A self-signed certificate is signed by its own key rather than a trusted CA, which is perfectly fine for local development and internal testing. Including `127.0.0.1` and `localhost` as SANs is essential, modern browsers reject certs that lack a matching SAN even on localhost. Everything is generated client-side.
Need a self-signed certificate for local development or internal testing? Generate one here in seconds: set the Common Name, Subject Alternative Names, validity period, and RSA key size, then download the certificate and private key as PEM. Everything is generated locally in your browser with node-forge.
This generator builds a complete X.509 certificate entirely in your browser using the node-forge library. It calls forge.pki.rsa.generateKeyPair to produce an RSA key pair (the only key type offered, with a dropdown of 2048 bits labeled 'recommended', 3072, and 4096 labeled 'strongest'), then self-signs the certificate with SHA-256 via forge.md.sha256.create. Because it is self-signed, the issuer Distinguished Name is set equal to the subject DN, the serial number is derived from the current timestamp ('01' plus Date.now() in hex), notBefore is set to the moment of generation and notAfter to that date plus the chosen validity period. Validity is picked from five presets - 30 days, 90 days, 1 year (the default), 2 years, and 10 years - and a live line shows the exact 'valid from / to' dates before you generate.
The subject DN is assembled from standard fields: Common Name (CN, the only required field, defaulting to 'localhost'), Organization (O), Organizational Unit (OU), City/Locality (L), State/Province (ST), and a two-letter Country code (C) that is uppercased automatically and capped at two characters. Subject Alternative Names are entered as a comma-separated list (default 'localhost,127.0.0.1'); each entry is tested against the regex /^(\d{1,3}\.){3}\d{1,3}$/ and emitted as an IP SAN (GeneralName type 7) when it looks like an IPv4 address, otherwise as a DNS SAN (type 2) - which is why wildcard entries like *.local go in as DNS names. This matters because modern browsers ignore the CN for hostname matching and require the served hostname to appear in subjectAltName, so the SAN field, not the CN, is what makes the cert actually validate against a given domain.
Every generated certificate carries a fixed extension set: basicConstraints with the cA flag toggled by the 'Create as CA certificate' checkbox, keyUsage with digitalSignature and keyEncipherment always on (plus keyCertSign when CA mode is enabled), and extKeyUsage marked for both serverAuth and clientAuth, so the cert works for TLS servers and client authentication out of the box. Output is three PEM blocks rendered as copyable, downloadable text: the certificate (saved as <CN>.crt), the RSA private key (<CN>.key, flagged 'Keep Secret'), and the public key (<CN>.pub); a 'Download All' button concatenates the certificate and private key into a single <CN>-combined.pem. The in-app How-to-Use panel maps the output to https.createServer({ key, cert }) for Node.js, ssl_certificate/ssl_certificate_key for Nginx, and SSLCertificateFile/SSLCertificateKeyFile for Apache. As the page's own banner warns, these are for development and testing only - browsers will show a warning until you add the certificate to the system trust store, since no real Certificate Authority vouches for it.
Keep CN as 'localhost', set SAN to 'localhost,127.0.0.1,*.local'. The tool emits 127.0.0.1 as an IP SAN and the other two as DNS SANs, picks RSA 2048-bit and 365-day validity, and gives you a .crt and .key you can pass straight to https.createServer({ key, cert }).
Tick 'Create as CA certificate', choose 4096-bit and the 10-year (3650-day) preset. basicConstraints is set with cA=true and keyUsage gains keyCertSign, producing a root you can install in your trust store to sign other development certs.
Run your dev server over HTTPS without buying a certificate or setting up Let's Encrypt locally.
Encrypt traffic between internal services on a private network where public CA trust isn't needed.
Generate throwaway certs to test server TLS settings, cipher suites, and client certificate validation.
Not by default. You'll see a security warning that you can bypass for development. For production, use a certificate from a trusted CA.
For local dev, 365 days is typical. For internal services, match your organization's certificate rotation policy.
This runs as client-side JavaScript. Keys, tokens, payloads, and other inputs never leave your device.