To get working HTTPS on localhost, something I have done in the past is:<p><pre><code> - register myproject.dev,
- point it to 127.0.0.1,
- create a cert for it, and
- just store the private key in the repo.
</code></pre>
Every coworker can check out the (private) repo and has working HTTPS without any fuss or configuration.<p>There are projects like https://lcl.host, but they require installing stuff on the machine and/or modifying the browser trust configuration.<p>Why has nobody just registered a similar domain like lcl.host, pointed it to 127.0.0.1, and published the private key for everyone to use?<p>Would the CA revoke this cert? Why? Doesn't the domain owner get to define the set of servers they allow to use the cert, and if that set just happens to be everyone, so what?<p>Is this "there are limits to how wide you can distribute your private key" policy documented somewhere?<p>Looking at digicert[1], if a revocation request is submitted, the owner must approve it. What happens if I just don't approve it?<p>[1]: https://docs.digicert.com/en/certcentral/manage-certificates/revoke-an-issued-ssl-tls-certificate/approve--or-reject--a-certificate-revocation-request.html
IIRC, if you have a private key you can be able to force a revocation regardless of what the owner wants. In some such as Let's Encrypt it is fully automated.<p>If this is a repo private, you should be realize it with a private CA that you import or is on every corp machine.<p>Baseline Requirements force a revocation within x hours on key disclosure.
This is the kind of message board logic that doesn’t actually work in the real world.<p>The CA has to answer to the CAB if they want to stay in browser trust stores, and quite clearly a private key that’s posted publicly has been disclosed.
Why doesn't the browser treat local loopback as secure network communication? Would save all the nonsense. Cant get more secure than not sending data over the network!