Skip to main content
L
Loopaloo
Buy Us a Coffee
All ToolsImage ProcessingAudio ProcessingVideo ProcessingDocument & TextPDF ToolsCSV & Data AnalysisConverters & EncodersWeb ToolsMath & ScienceGames
Guides & BlogAboutContact
Buy Us a Coffee
L
Loopaloo

Free online tools for developers, designers, and content creators. All processing happens entirely in your browser - your files never leave your device. No uploads, no accounts, complete privacy.

support@loopaloo.com

Tool Categories

  • Image Tools
  • Audio Tools
  • Video Tools
  • Document & Text
  • PDF Tools
  • CSV & Data
  • Converters
  • Web Tools
  • Math & Science
  • Games

Company

  • About Us
  • Contact
  • Blog
  • FAQ

Legal

  • Privacy Policy
  • Terms of Service
  • Disclaimer

Support

Buy Us a Coffee

© 2026 Loopaloo. All rights reserved. Built with privacy in mind.

Privacy|Terms|Disclaimer
  1. Home
  2. Web Tools
  3. Self-Signed Certificate Generator
Add to favorites

Self-Signed Certificate Generator

Generate self-signed SSL/TLS certificates for local development and testing. Includes Subject Alternative Names support

Need a self-signed certificate for local development or internal testing? Generate one here in seconds: set the Common Name, Subject Alternative Names, validity period, and RSA key size, then download the certificate and private key as PEM. Everything is generated locally in your browser with node-forge.

Runs locally in your browserMore web toolsJump to full guide

Related reading

  • Understanding SSL/TLS Certificates: How HTTPS Keeps the Web Secure14 min read

Initializing in your browser…

You might also like

CSR Generator

Generate Certificate Signing Requests (CSR) for SSL/TLS certificates with RSA key pairs. Submit to CAs for certificate issuance

Certificate Decoder

Decode and analyze PEM-encoded X.509 SSL/TLS certificates. View subject, issuer, validity, extensions, and fingerprints

SSL Certificate Checker

Check if a website has valid SSL/TLS certificate. Verify HTTPS connection and get tools for detailed certificate analysis

Self-Signed Certificate Generator: a worked example

You need HTTPS on a local dev box (https://localhost:8443) without paying a CA or fighting an internal PKI.

Inputs

CN localhost · SAN localhost, 127.0.0.1 · Validity 365 days · Key RSA 2048
Self-Signed Certificate Generator produces

Cert + key (PEM)

-----BEGIN CERTIFICATE-----  (server.crt, self-signed)
-----BEGIN PRIVATE KEY-----  (server.key, load into your dev server)

Note: browsers will warn "not trusted" until you add this cert
to your OS/browser trust store, expected for self-signed.

A self-signed certificate is signed by its own key rather than a trusted CA, which is perfectly fine for local development and internal testing. Including `127.0.0.1` and `localhost` as SANs is essential, modern browsers reject certs that lack a matching SAN even on localhost. Everything is generated client-side.

About the Self-Signed Certificate Generator

Need a self-signed certificate for local development or internal testing? Generate one here in seconds: set the Common Name, Subject Alternative Names, validity period, and RSA key size, then download the certificate and private key as PEM. Everything is generated locally in your browser with node-forge.

Key features

  • RSA key generation
  • Custom validity period
  • SAN support for multiple hostnames
  • PEM-formatted cert and key output
  • Client-side generation with node-forge

How to use

  1. 1Enter the Common Name (e.g., localhost or an internal hostname).
  2. 2Add any Subject Alternative Names (e.g., localhost, 127.0.0.1).
  3. 3Set the validity period in days and the RSA key size.
  4. 4Download the certificate and private key.

How it works

This generator builds a complete X.509 certificate entirely in your browser using the node-forge library. It calls forge.pki.rsa.generateKeyPair to produce an RSA key pair (the only key type offered, with a dropdown of 2048 bits labeled 'recommended', 3072, and 4096 labeled 'strongest'), then self-signs the certificate with SHA-256 via forge.md.sha256.create. Because it is self-signed, the issuer Distinguished Name is set equal to the subject DN, the serial number is derived from the current timestamp ('01' plus Date.now() in hex), notBefore is set to the moment of generation and notAfter to that date plus the chosen validity period. Validity is picked from five presets - 30 days, 90 days, 1 year (the default), 2 years, and 10 years - and a live line shows the exact 'valid from / to' dates before you generate.

The subject DN is assembled from standard fields: Common Name (CN, the only required field, defaulting to 'localhost'), Organization (O), Organizational Unit (OU), City/Locality (L), State/Province (ST), and a two-letter Country code (C) that is uppercased automatically and capped at two characters. Subject Alternative Names are entered as a comma-separated list (default 'localhost,127.0.0.1'); each entry is tested against the regex /^(\d{1,3}\.){3}\d{1,3}$/ and emitted as an IP SAN (GeneralName type 7) when it looks like an IPv4 address, otherwise as a DNS SAN (type 2) - which is why wildcard entries like *.local go in as DNS names. This matters because modern browsers ignore the CN for hostname matching and require the served hostname to appear in subjectAltName, so the SAN field, not the CN, is what makes the cert actually validate against a given domain.

Every generated certificate carries a fixed extension set: basicConstraints with the cA flag toggled by the 'Create as CA certificate' checkbox, keyUsage with digitalSignature and keyEncipherment always on (plus keyCertSign when CA mode is enabled), and extKeyUsage marked for both serverAuth and clientAuth, so the cert works for TLS servers and client authentication out of the box. Output is three PEM blocks rendered as copyable, downloadable text: the certificate (saved as <CN>.crt), the RSA private key (<CN>.key, flagged 'Keep Secret'), and the public key (<CN>.pub); a 'Download All' button concatenates the certificate and private key into a single <CN>-combined.pem. The in-app How-to-Use panel maps the output to https.createServer({ key, cert }) for Node.js, ssl_certificate/ssl_certificate_key for Nginx, and SSLCertificateFile/SSLCertificateKeyFile for Apache. As the page's own banner warns, these are for development and testing only - browsers will show a warning until you add the certificate to the system trust store, since no real Certificate Authority vouches for it.

Examples

  • Localhost dev cert with IP and wildcard SANs

    Keep CN as 'localhost', set SAN to 'localhost,127.0.0.1,*.local'. The tool emits 127.0.0.1 as an IP SAN and the other two as DNS SANs, picks RSA 2048-bit and 365-day validity, and gives you a .crt and .key you can pass straight to https.createServer({ key, cert }).

  • Long-lived local CA root

    Tick 'Create as CA certificate', choose 4096-bit and the 10-year (3650-day) preset. basicConstraints is set with cA=true and keyUsage gains keyCertSign, producing a root you can install in your trust store to sign other development certs.

Tips & best practices

  • Put every hostname and IP you will actually use into the SAN field - browsers ignore the Common Name and only match against subjectAltName, so a cert with just CN=localhost will still be rejected for 127.0.0.1 unless that IP is listed.
  • Save the private key (<CN>.key) at generation time; it never leaves your browser and cannot be recovered later, so losing it makes the certificate unusable and forces you to regenerate.
  • To stop the browser security warning, add the .crt to your operating system or browser trust store - no public Certificate Authority signs a self-signed cert, so it is untrusted by default.
  • Enable 'Create as CA certificate' only if you want a root to sign other certs; it sets basicConstraints cA=true and adds keyCertSign to keyUsage.

Practical scenarios

  • Local HTTPS development

    Run your dev server over HTTPS without buying a certificate or setting up Let's Encrypt locally.

  • Internal service TLS

    Encrypt traffic between internal services on a private network where public CA trust isn't needed.

  • Testing TLS configurations

    Generate throwaway certs to test server TLS settings, cipher suites, and client certificate validation.

Frequently asked questions

Will browsers trust a self-signed certificate?

Not by default. You'll see a security warning that you can bypass for development. For production, use a certificate from a trusted CA.

How long should the validity period be?

For local dev, 365 days is typical. For internal services, match your organization's certificate rotation policy.

Related tools and how they differ

  • CSR Generator: Build a PKCS#10 signing request to send to a real CA instead of self-signing; use it for production certs a browser will trust without warnings.
  • Certificate Decoder: Paste any PEM certificate to verify its subject, SANs, validity, and fingerprints; use it to confirm what you just generated.
  • PEM/DER Converter: Convert the generated cert or key into binary DER, or back to PEM; use it when Java keystores or Windows need DER input.
  • SSL Certificate Checker: Check a live site's HTTPS reachability and get an OpenSSL fetch command; use it for deployed domains, not for making a local test cert.

Further reading

  • Understanding SSL/TLS Certificates: How HTTPS Keeps the Web Secure14 min read

Private by design

This runs as client-side JavaScript. Keys, tokens, payloads, and other inputs never leave your device.