Understanding HTTPS: How It Works and How to Set It Up Locally, in Test, and in Production

HTTPS (Hypertext Transfer Protocol Secure) is the secure version of HTTP, the protocol used for communication between a web browser and a web server. It ensures that all data exchanged is encrypted, maintaining confidentiality and integrity.

How HTTPS Works

1. TLS/SSL Encryption HTTPS uses TLS (Transport Layer Security) or its predecessor SSL (Secure Sockets Layer) to encrypt communication. This prevents eavesdropping and tampering.
2. Public Key Infrastructure (PKI) HTTPS relies on a public key cryptography system:
   • The server has a private key that remains secure.
   • The server provides a public key in the SSL certificate.
   • The browser uses this public key to encrypt data, which only the private key can decrypt.
3. Certificate Authority (CA) and Trust
   • Websites obtain SSL certificates from a trusted Certificate Authority (CA) (e.g., Let’s Encrypt, DigiCert).
   • Browsers trust certificates signed by these CAs.
4. TLS Handshake When a client connects to an HTTPS server:
   • The server presents its SSL certificate.
   • The client verifies the certificate.
   • Both parties agree on encryption algorithms.
   • A session key is generated for secure communication.

Setting Up HTTPS in Different Environments

1. Setting Up HTTPS Locally

For local development, you can generate a self-signed certificate or use mkcert for easier local HTTPS.

Using OpenSSL (Self-Signed Certificate)

openssl req -x509 -nodes -days 365 -newkey rsa:2048 \
  -keyout localhost.key -out localhost.crt \
  -subj "/CN=localhost"

Then, configure your local web server (e.g., Apache, Nginx, Node.js):

For Node.js (Express)

const https = require('https');
const fs = require('fs');
const express = require('express');

const app = express();
const options = {
  key: fs.readFileSync('localhost.key'),
  cert: fs.readFileSync('localhost.crt')
};

https.createServer(options, app).listen(443, () => {
  console.log('HTTPS Server running on https://localhost');
});

Using mkcert (Easier Local HTTPS)

1. Install mkcert:

brew install mkcert   # macOS
sudo apt install libnss3-tools && wget -O mkcert https://dl.filippo.io/mkcert/latest/linux-amd64 && chmod +x mkcert && sudo mv mkcert /usr/local/bin/  # Linux

2. Create and trust a local CA:

mkcert -install

3. Generate local certificates:

mkcert localhost 127.0.0.1 ::1

4. Use the generated localhost.pem and localhost-key.pem in your web server.

5. Setting Up HTTPS on a Test/Staging Server

For a test environment, you can use Let’s Encrypt (staging mode) or a wildcard certificate.

Using Let’s Encrypt (Certbot)

sudo apt update
sudo apt install certbot
sudo certbot certonly --standalone -d test.yourdomain.com --staging

This generates a free SSL certificate for test.yourdomain.com.

Configuring Nginx for HTTPS

Edit /etc/nginx/sites-available/default:

server {
    listen 443 ssl;
    server_name test.yourdomain.com;
    
    ssl_certificate /etc/letsencrypt/live/test.yourdomain.com/fullchain.pem;
    ssl_certificate_key /etc/letsencrypt/live/test.yourdomain.com/privkey.pem;
    
    location / {
        proxy_pass http://localhost:3000;  # If using a Node.js app
    }
}

Reload Nginx:

sudo systemctl restart nginx

3. Setting Up HTTPS in Production

For production, use a trusted CA like Let’s Encrypt, DigiCert, or Cloudflare SSL.

Using Let’s Encrypt for a Production Server

sudo certbot --nginx -d yourdomain.com -d www.yourdomain.com

This automatically configures Nginx with HTTPS.

Enabling Auto-Renewal for SSL Certificates

Set up a cron job:

echo "0 0 * * * certbot renew --quiet" | sudo tee -a /etc/crontab

Cloudflare SSL (Alternative)

If you use Cloudflare: 1. Enable “Full (Strict)” SSL mode in Cloudflare. 2. Generate an Origin Certificate in Cloudflare. 3. Upload it to your server (/etc/ssl/cloudflare.pem). 4. Configure Nginx:

ssl_certificate /etc/ssl/cloudflare.pem;
ssl_certificate_key /etc/ssl/cloudflare.key;

Environment SSL Type Setup Method Local Self-Signed or mkcert OpenSSL or mkcert Test Let’s Encrypt (Staging) Certbot + Nginx Production Let’s Encrypt, Cloudflare, DigiCert Certbot + Auto-Renewal

By implementing HTTPS across all environments, you ensure secure communication, protect user data, and build trust with your audience.

• HTTPS
• SSL
• TLS
• Web Security
• Local Development
• Production Deployment