Generate a self-signed X.509 certificate and a fresh private key for local dev, intranet and testing — everything runs in your browser and the key never leaves your device
One host or IP per line; entries that parse as an IP are encoded as iPAddress, the rest as DNS names.
A self-signed certificate is signed by its own private key (issuer = subject) with no CA involved, making it ideal for local development, internal services, CI testing and anywhere you need HTTPS quickly. This tool generates a fresh key pair with WebCrypto in your browser, then builds and self-signs a standard X.509v3 certificate, emitting the certificate and private key as two PEM files.
Everything runs client-side: both the key and the certificate are generated in your browser, the private key is never uploaded and no network request is made — you can confirm this in the browser Network panel. The resulting certificate parses cleanly with standard tools such as openssl x509 -text.
A self-signed certificate is signed by its own private key with no trusted root CA backing it, so browsers warn that it is untrusted by default. It suits local development, intranets and testing; public-facing sites should use a certificate issued by a trusted CA.
No. The key pair and certificate are generated in your browser with WebCrypto; the private key never leaves your device and no network request is made.
Yes. Add one host or IP per line in the SAN field; entries that parse as IPv4/IPv6 are encoded as iPAddress and the rest as DNS names, which is ideal for enabling HTTPS on localhost or an internal IP.
ECDSA (P-256 / P-384) keys are smaller with faster handshakes and are widely supported by modern clients; RSA (2048 / 3072) offers the broadest compatibility. Choose EC P-256 for local development, or RSA 2048 when older clients must be supported.