Am I correct that I will use a different SSL certificate (e.g., a self-signed certificate) for localhost development than I will use for production hosting because the localhost certificate will be for the localhost domain only and the production SSL certificate will be for the production domain only?
Yes, a certificate is issued for a specific domain, and certificate for example.com will not work for example.org (unless the certificate was issued for the two domains). Also, you cannot get a Certificate Authority to issue a cert for localhost at all, because you cannot “prove” that you own localhost.
But the bigger question is… WHY do you even need HTTPS/SSL for localhost at all? HTTPS is meant to protect data in transit. If you’re developing on your local computer, why do need this at all? What am I missing?
@gappiah, thanks for the quick response. I wasn’t sure whether I needed separate certificates for localhost and production hosting because I’m just learning about SSL certificates. Thanks for confirming that my understanding about needing two separate certificates for localhost and production (in most situations) is correct.
The reason I believe I need a certificate for localhost is so that all of the content permalinks on the localhost version of my WordPress website will be https://localhost instead of http://localhost. From my research I’m under the impression that it’s a pretty onerous task to change all of the permalinks on production hosting from http: to https:. That’s the only reason I wanted to use an SSL certificate on localhost.
I am very comfortable doing a manual copy of an http: localhost WordPress website to production hosting (or staging, for that matter). I use the DB Search & Replace plugin to find all occurrences of “localhost” in the production hosting MySQL database to fix content permalinks. Is replacing all occurrences of http: with https: as simple as replacing “localhost” with the actual production domain name (e.g., “example.com”) using a tool like DB Search & Replace? If that’s the case then I don’t see any reason to use an SSL certificate for localhost development – unless I’m missing some other reason to use an SSL certificate for localhost development.
What’s your recommendation?
The way I handle this is to ask the client to provide the domain’s SSL certificate files, and I’ll then install the certificate/key in my dev system’s webserver. I then access the domain by adding a virtualhost to my dev system’s webserver configuration, and an entry to my local system’s HOSTS file. In that way I can securely develop the site using the correct domain information. Not only does this eliminate the need for migration plugins, it also provides a way for the client to inspect the site before it goes live.
This method will also work on pure localhost setups, with the exception that the client will not be able to access the dev site.
@diondesigns I appreciate the detailed explanation of how you do local WordPress HTTPS development. As I have mentioned in my earlier posts, I am new to SSL certificates. Once you are finished developing your client’s website locally using their SSL certificate, do you leave it installed on your local development webserver and use it again on the production hosting server? I’m assuming this would work since the local development environment isn’t visible on the public Internet via DNS. Is this correct?
Moderator
Yui
(@fierevere)
永子
Its advised to do not use “localhost”
You can use c:\Windows\System32\Drivers\etc\hosts file on Windows,
or /etc/hosts on unix’s to define any domain for your site
(address can be 127.0.0.1)
Certificate – self signed, or valid signed certificate issued for real host.
For transferring you have to check for serialized data too.
Therefore, replace hostname with https://wordpress.org/plugins/better-search-replace/ (live site) or create a package for transfer with https://wordpress.org/plugins/duplicator/
After I hand over the site to the client, I delete the client’s SSL certificate on my dev server. These days most SSL certificates have limited lifetimes (90 days or less), so if the need arises for additional work, I will request fresh certificate files. I also remove the virtualhost from the webserver configuration after I make a backup, and will remove the entries in my local system’s HOSTS file.
The process of handing over the site is dependent on whether I was involved in the original setup. If so, I’ll insure the website is functional before migrating the files/database. If not, the client must first have a working website, even if the site is nothing more than a placeholder “under construction” page.
@diondesigns, is your dev server a localhost installation using something like WampServer (or its Mac and Linux equivalents) or a dedicated physical or virtual server that you use for dev work? I am currently using a localhost installation of WampServer.
@fierevere, I have always used localhost as the domain name and never used the Windows HOSTS file to define the production hosting domain name when doing local WordPress development. The reason is because I used a plugin that does the same thing as Better Search and Replace (it’s called DB Search & Replace) that replaces all occurrences of localhost with the production hosting domain name while preserving content data serialization. Is there a reason you suggest not using localhost as the domain name when doing local dev work?
Also, am I understanding you correctly that I can use a self-signed SSL certificate to do local WordPress dev on my WampServer inatallation, then copy the completed website to production hosting and replace the self-signed SSL certificate with the production hosting SSL certificate?
My dev server is a Linux VPS, but I also maintain a Windows localhost server to insure code compatibility across platforms. The dev server has a custom domain (let’s call it dewdomain.com) with a wildcard Let’s Encrypt certificate. The Windows localhost server uses the dev server’s certificate with a subdomain of the dev server (local.devdomain.com). I set up a task in the Windows task manager to use PuTTY’s PSFTP program to download the certificate file once a week.
While they are very good Windows localhost solutions, I don’t use Wampserver/Xampp/etc because I’m experienced enough to install Apache, PHP, and MariaDB from their Windows build repositories, and set up their configurations manually. I also don’t use or recommend tunneled localhost applications (such as local by flywheel) on Windows systems…they’re massive, slow, and can conflict with some Windows 10 dev tools.
@diondesigns I kinda’ figured you had a “from scratch’ development setup. Thanks for sharing your configuration with me. It helps me understand how to deal with the SSL certificates used for both localhost and production hosting.
