Using self-signed certificates with keytool for development purposes

Question

When generating a self-signed certificate using keytool, can I use an IP address for the Common Name?

Once I generated the certificate, I exported it so I can install it in my clients/browsers. In Windows, I ran mmc.exe and added it as a Trusted Root Certificate Authority.

However, when I navigate to the IP address in my browser, it is still an untrusted connection. I ensured Tomcat had all the correct Connector settings.

Am I doing this correctly? do I need to be my own CA? How can I use SSL for development purposes? I'm still trying to understand SSL completely.

Answer 1

First question: if you'll be connecting by IP, then yes.

Second question: No, you don't install your self-signed certificate as CA, you just add exception when your browser warns you that it's self-signed.

You can set up CA — you generate root certificate first, install it in the client, and then generate CSR and then server certificate from it (see e.g. this), but for development purposes this is a complete waste of time.