Loading tool...
Generate Certificate Signing Requests (CSR) for SSL/TLS certificates with RSA key pairs. Submit to CAs for certificate issuance
Decode and analyze PEM-encoded X.509 SSL/TLS certificates. View subject, issuer, validity, extensions, and fingerprints
Check if a website has valid SSL/TLS certificate. Verify HTTPS connection and get tools for detailed certificate analysis
Generate self-signed SSL/TLS certificates instantly for local development, testing, and internal applications without requiring a Certificate Authority. Self-signed certificates enable HTTPS in development environments, Docker containers, and internal tools, allowing developers to test SSL/TLS implementations before deployment. This tool generates certificates with custom Subject Alternative Names (SANs) supporting localhost, IP addresses (127.0.0.1, ::1), and custom domains, enabling certificates to work with various local development scenarios. Configure the validity period from 30 days to 10 years and select RSA key sizes (2048, 3072, 4096 bits) based on your security requirements. Optionally generate a CA certificate for signing multiple certificates, useful for testing complete certificate chains. All keys are generated entirely in your browser using WebCrypto API—no server involvement, no data transmission, ensuring complete privacy and offline functionality. Download certificates and keys in PEM format, ready for nginx, Apache, Node.js, and other servers. Server configuration examples guide setup.
Generate certificates for localhost development, enabling local testing of HTTPS-dependent features.
Test SSL/TLS implementations, cipher suites, and certificate handling with complete control over certificate details.
Generate certificates for Docker containers and Kubernetes pods, enabling internal HTTPS communication.
Create certificates for internal-only applications and services that don't require CA-issued certificates.
Enable HTTPS in development environments to match production requirements and test security-related features.
Generate CA certificates for signing other certificates, enabling complete certificate chain testing scenarios.
TLS (Transport Layer Security) and its predecessor SSL (Secure Sockets Layer) provide encrypted communication between clients and servers, forming the security foundation of HTTPS. The TLS handshake establishes a secure connection through a multi-step process: the client sends a ClientHello listing supported cipher suites and TLS versions, the server responds with its certificate and chosen parameters, the client verifies the certificate and generates a pre-master secret encrypted with the server's public key, and both sides derive symmetric session keys for encrypting subsequent data. This process authenticates the server's identity and establishes encrypted communication in a fraction of a second.
Self-signed certificates are certificates where the issuer and subject are the same entity, meaning the certificate is signed with its own private key rather than by a trusted Certificate Authority. They are cryptographically identical to CA-signed certificates in terms of the encryption they enable: the TLS handshake proceeds the same way, and the resulting encrypted connection provides the same confidentiality and integrity guarantees. The critical difference is trust. Browsers maintain a curated list of trusted root CAs, and certificates signed by these CAs (or their intermediates) are automatically trusted. Self-signed certificates are not in any trust store, which is why browsers display security warnings when encountering them.
In development environments, self-signed certificates serve essential purposes. Many modern web APIs require a secure context (HTTPS) to function, including Service Workers, Geolocation, WebRTC, Web Crypto, and the Clipboard API. Developing with HTTP means these features are unavailable, creating a gap between the development and production environments. Self-signed certificates bridge this gap by enabling local HTTPS. Tools like mkcert simplify this process by creating a local CA, installing it in the system trust store, and generating certificates signed by that local CA, eliminating browser warnings during development while maintaining the untrusted status of these certificates outside the developer's machine.
The security distinction between self-signed and CA-signed certificates is paramount for production environments. CA-signed certificates provide identity verification: a trusted third party has confirmed that the certificate holder controls the specified domain. Self-signed certificates offer no such assurance because anyone can create one claiming to be any domain. In production, using a self-signed certificate would allow man-in-the-middle attacks because clients cannot verify the server's identity. Let's Encrypt, a free and automated Certificate Authority launched in 2015, has largely eliminated the cost and complexity barriers that once made self-signed certificates tempting for production use, issuing over 300 million active certificates and making properly trusted HTTPS accessible to everyone.
Self-signed certificates are not trusted by browsers because they are not issued by a known Certificate Authority. This is normal for development use.
No. Self-signed certificates should only be used for development and testing. For production, use certificates from a trusted CA like Let's Encrypt.
All processing happens directly in your browser. Your files never leave your device and are never uploaded to any server.