Ask HN: Why shouldn't I setup a site that gives away SSL certs for local dev?

TLDR - Fundamentally, what&#x27;s wrong with hosting a service that provides it&#x27;s own SSL cert (public and private) for others to use for local development<p>For quite a few projects, I use a standard domain for which I have the SSL certs for.<p>Some of these projects require an SSL certificate to function (maybe for external requirements etc.)<p>To onboard people to the project, asking them to get a valid SSL certificate can be a pain..<p>Obviously getting them to create a CA certificate, generate a server cert etc. and adding the CA cert can be a pain.<p>So my thought was to share a common set of keys that are only used for local development for a non-functioning domain.<p>But I took this thought a step further... why shouldn&#x27;t there be (or I create) a service hosted on a real domain, which provides it&#x27;s own SSL certificate - providing the public and private key to anyone that requests it (e.g. https:&#x2F;&#x2F;mylocaldev.com&#x2F;public.pem &#x2F; https:&#x2F;&#x2F;mylocaldev.com&#x2F;private.pem).<p>Maybe the certificate could be for a sub-domain of the actual domain, which doesn&#x27;t host the actual &#x27;site&#x27; that provides the certs (e.g. https:&#x2F;&#x2F;mylocaldev.com&#x2F;certs.pem provides the certs for https:&#x2F;&#x2F;dev.mylocaldev.com)<p>This way, anyone could obtain the SSL cert, add the domain to their hosts file and use the certs for hosting apps locally.<p>Obviously, standard points:<p>* This is a blatant issue for MITM attacks<p><pre><code> - But what would they be intercepting.. the public&#x2F;private key?.. who cares? </code></pre> * The SSL traffic generated by the applications that people use the certificate for could be &#x27;MITM&#x27;ed or decrypted<p><pre><code> - Again, if it&#x27;s local development, I can&#x27;t see a difference over hosting local applications without any SSL encryption </code></pre> Maybe I&#x27;m missing something else? If not, how has something like this not already been done?<p>On the flip side, am I right in thinking this _would_ solve real-life problems that people face?<p>Certainly feels easier than using tunneling software that SSL-wraps the traffic (https:&#x2F;&#x2F;github.com&#x2F;localtunnel&#x2F;localtunnel) - though obviously this is only a small benefit of using applications like that (i.e. making your local development environment publicly accessible).