For many years I've never really understood SSL certificates. Sure I get why we need them, but why do I need one when developing on my local machine. But things came to a head last week when I needed to replicate a bug in production that we weren't seeing locally.
Steps to replicate
- Navigate to the checkout page.
- Enter a credit card number (use a test one stored in Chrome)
Expected behaviour
- Browser displays card number, expiry date and CVC
Actual behaviour
- Browser only displays card number
Without going in to too much detail, some javascript wasn't firing when the browser pulled the card details from its secure store. We had javascript running onclick ontab onblur on pretty much every event except this one.
Browsers will not offer to use a card it has stored unless running on SSL with a trusted certificate.
So I needed an SSL certificate, but not one, six. I am working on a white labelled site which runs on many URLs. So I created a Powershell script.
This script will....
- create an SSL certificate
- save it to disk
- add it to your personal certificate store on your local machine
- create HTTPS bindings in IIS using the certificate
Now, this much I had figured out before. I had created on and told IIS to use it when serving my local site, yet still honking warnings were displayed by my browser. The bit that finally clicked for me was when I realised as this is local dev my machine is both creator and consumer (server and client) of the certificate. So, although my server (IIS) was correctly serving the cert, my browser had to be forced to trust the cert (as this was only a locally created cert).
Once I had added the certificate to the browsers trusted certificate store I finally had a green, secure site on local.mysite.com.
The full script is available over on GitHub. If it saves you a few minutes, drop a note in the comments to let me know.