Why adding localhost to SAN list in considered not secured?

Question

Question on the SAN list of a certificate please.

Currently, I have a web application where mTLS, mutual TLS, two way SSL is enabled.

All my clients have the valid sets of certificates and they all pass the handshakes and are able to get the response payload when invoking my service over the web. They are all very happy.

However, as the developer, I am not able to get into my own service if mTLS is active, when running on localhost.

Hence, my immediate reaction was to ask my security team to add localhost in the SAN list.

However, they told me this is not secure and considered as bad practice to add localhost.

I tried to look at documentations online, without finding anything concrete, or that I can understand.

I do not want to disable mTLS for my local host testing. I do not want to cheat the process in anyway by deploying some sort of insecure trust.

My questions:

• Why adding localhost as entry in the SAN list is considered bad practice and unsafe?
• How can I test the app deployed on my localhost then?

Thank you

Answer 1

Why adding localhost as entry in the SAN list is considered bad practice and unsafe?

Publicly issued certificates should contain only domains which are fully controlled by the party owning the certificate. localhost is not owned by a single party and should thus not be part of a certificate issued by a public CA. But it can be part of a self-signed certificate or a certificate issued by a private, i.e. only locally trusted CA, since in this case the scope of the certificate is limited by the scope of the trust into the CA.

How can I test the app deployed on my localhost then?

It is not fully clear what exactly you want to test. But you can make your local machine appear as any domain by adding a mapping to the hosts file. This way you could access it locally by the public domain name instead of only localhost. For details see for example Adding a website to hosts file and testing it. Note that this change only affects DNS lookups on the local machine, but this is probably what you want for testing.