I need to use SSL in a local network and I want to avoid browser invalid certificate error.
My idea is to generate self signed certificate and then use Certificate Pinning (HPKP) so to tell browser only this certificate can be trusted?
I currently explore all options related to this idea. I have tested with a self signed certificate and HPKP header (Public-Key-Pins) with value, like:
"pin-sha256="somedataencodedbase64=";pin-max-age=10;includeSubDomains"
Browser does not accept it as a secure. I still need to finish this test (with different self signed certificate and I need to make sure that SPKI is calculated properly ...
Now questions are:
Are self signed certificate issued for given local host name (e.g. mylocalserver) and pinned in server response even valid? Will this even work?
Does certificate pinning work for a local host names (this would mean, it only works with domain names)?
Does pinned certificate have to firstly valid or thrusted by CA (this would mean self signed certificates can not be pinned - unless they are added to Trust Store on a client)?
What would be the simplest another way to have a valid SSL locally, so I do not need to configure client (client Trust Store)?
Can we seen certificate pinning as alternative of trusted CA? I read somewhere it is just additionally so this means certificate chain need to be valid first, then you can pin it?
I also think more and more if this idea will even work. Because then we would see more use of this technique. Everyone would generate self signed certificate and just pin it ... And save few bucks on a CA trusted certificate ... Or what I am getting wrong or right about the whole concept?