Generating the self-signed certificate

Generate a self-signed certificate using the openssl command:

openssl req -nodes -new -x509 -keyout localhost.pem -out localhost.pem -days 365

In this case the key and the certificate itself will be in the same ./localhost.pem file.

Installing the new certificate using ca-certificates

Copy the certificate to /usr/share/ca-certificates/localhost.crt, then set the correct permission. Then use the dpkg-reconfigure to list and enable the certificate.

sudo cp ./localhost.pem /usr/share/ca-certificates/localhost.crt
sudo chown $USER /usr/share/ca-certificates/localhost.crt
sudo dpkg-reconfigure ca-certificates

After running the last command you will see a “ca-certificates configuration” window, use the below answers:

Trust new certificates from certificate authorities? yes

Certificates to activate: mark localhost.crt (space bar mark the item)

Then finally use Tab to go to the OK button and press Enter.

A done. message will be printed, now your certificate is trusted and can be used locally.

Using the certificate

Now you can normally use the certificate, below an example of HTTP server using the ssl module in Python.

import http.server, ssl

server_address = ('localhost', 443)
httpd = http.server.HTTPServer(server_address, http.server.SimpleHTTPRequestHandler)
httpd.socket = ssl.wrap_socket(httpd.socket,
print('Running server at https://localhost')

Save this to then execute it.

sudo python3 ./
# Running server at https://localhost

Then call the server, it will show you a directory listing of the root server directory.

curl https://localhost

<meta http-equiv="Content-Type" content="text/html; charset=utf-8">
<title>Directory listing for /</title>