Why does my self-signed certificate show a browser warning?

Browsers trust only certificates signed by CAs in their root store. Self-signed certificates are not in the root store. To suppress the warning in development, add the certificate to your OS/browser's trusted certificate store manually.

What key size should I use for a new TLS certificate?

RSA-2048 is the current minimum. RSA-4096 is safe but slower. ECDSA P-256 offers equivalent security to RSA-3072 with smaller key size and faster handshakes — it is the preferred algorithm for new deployments.

TLS Certificate Generator

DevTools Surf

About TLS Certificate Generator

TLS Certificate Generator preview - Security / Crypto tool

Generate self-signed TLS certificates with custom CN, validity, and key size configuration. Part of the DevTools Surf developer suite. Browse more tools in the Security / Crypto collection.

Use Cases

Generate a self-signed certificate for local development HTTPS without trusting a public CA.
Create test certificates for integration testing of TLS-dependent code.
Generate a certificate with specific SAN entries for internal service-to-service mTLS.
Learn certificate structure by generating and inspecting the output before deploying to production.

Tips

Set the Subject Alternative Name (SAN) extension correctly — Chrome and other modern browsers ignore the Common Name (CN) field and require the hostname to be in the SAN extension.
Generate a new key pair rather than reusing an existing one for each certificate — key reuse across certificates increases the blast radius of a compromised private key.
Self-signed certificates are appropriate for development and internal services; for public-facing services, use a CA-signed certificate (Let's Encrypt is free).

Fun Facts

Let's Encrypt, the free CA that has issued over 3 billion certificates since its 2015 launch, dramatically reduced the cost barrier to HTTPS adoption — helping push HTTPS usage from 40% to over 95% of web traffic by 2023.
The maximum validity period for publicly trusted TLS certificates was reduced from 3 years (2015) to 2 years (2018) to 1 year (2020) by browser root programs — and Apple proposed 47-day maximum validity in 2024.
The Heartbleed vulnerability (CVE-2014-0160) in OpenSSL allowed private key extraction from live servers, triggering one of the largest certificate revocation and reissuance events in internet history — affecting over 500,000 servers.

FAQ

Why does my self-signed certificate show a browser warning?: Browsers trust only certificates signed by CAs in their root store. Self-signed certificates are not in the root store. To suppress the warning in development, add the certificate to your OS/browser's trusted certificate store manually.
What key size should I use for a new TLS certificate?: RSA-2048 is the current minimum. RSA-4096 is safe but slower. ECDSA P-256 offers equivalent security to RSA-3072 with smaller key size and faster handshakes — it is the preferred algorithm for new deployments.

Related Security / Crypto Tools

Hash Generator v2 HMAC Generator v2 JWT Encoder Bcrypt Hash Tester HMAC Generator Password Strength Analyzer TOTP / 2FA Generator SAML Response Decoder