Home
A desktop app for generating and managing self-signed certificates and root certificate authorities — on macOS and Windows
Warning
Certificates generated by SelfCertForge are self-signed and are intended for local development, home labs, and internal tooling only. They should never be used in production or public-facing environments.
SelfCertForge is a tool that makes it easy to build and manage your own local certificate infrastructure without OpenSSL commands, scripts, or deep PKI knowledge.
It's designed for developers, home lab enthusiasts, and internal tool builders who need real TLS certificates in environments they control: custom local domains, localhost HTTPS, internal APIs, dashboards, and more.
The app gives you a full workflow in one place:
- Create a Root Certificate Authority (CA) as your own trusted root
- Install your root CA into the macOS or Windows system trust store
- Sign child certificates from that root CA
- Track certificate expiry and rotate certs as needed
- Export in multiple formats for use across your stack
SelfCertForge is built around a two-tier certificate hierarchy:
Root CA (long-lived · trusted by the OS)
└── Signed Certificate (≤398 days · trusted by chain)
└── Signed Certificate
└── ...
When you install a root CA into your operating system's trust store, every certificate signed by that root is automatically trusted — no additional configuration needed. This is the same model used by commercial certificate authorities like DigiCert or Let's Encrypt.
By creating a long-lived root CA (10+ years), you establish trust once. After that, you can generate, renew, or replace child certificates as many times as you need — and every device or application that trusts your root will accept the new certificates automatically.
Important
Browsers and operating systems enforce a maximum validity period of 398 days for SSL/TLS certificates. Certificates with a longer validity will be rejected by Chrome and Apple platforms. This makes annual (or more frequent) rotation of child certificates a hard requirement — not a best practice.
See: Chromium certificate lifetime policy · Apple TLS certificate requirements
This 398-day limit is precisely why the root CA model is so valuable: rather than re-trusting a new certificate every year in every browser and OS, you trust your root once and rotate child certs freely underneath it.
This is the core workflow SelfCertForge is optimized for:
- Create a root CA with a long validity period (e.g. 3650 days / ~10 years)
- Install the root CA into your OS trust store once
- Issue signed child certs with a validity of ≤398 days for each service or domain
- When a child cert nears expiry, forge a replacement — no re-trust required
Note
For a deeper look at why this approach works and when to use it, see Understanding Root CAs and the Trust Chain.
- Root CA creation: generate a root certificate authority with configurable subject fields, key size, and validity period
- Signed certificate generation: issue child certificates signed by one of your root CAs, with full Subject Alternative Name (SAN) support
- Trust store management: install or remove root CAs from the macOS or Windows system trust store directly from the app
- Export formats: export certificates and keys as PEM, DER, PFX (PKCS#12), or P7B
- Dashboard: at-a-glance overview of your CAs, signed certificate counts, and recent activity
- Expiry tracking: visual status indicators for certificates that are valid, expiring soon, or expired
- Standard X.509 fields: configure Subject (CN, O, OU, L, ST, C), Subject Alternative Names, Key Usage, Extended Key Usage, and key size
| Platform | Supported |
|---|---|
| macOS | ✅ |
| Windows | ✅ |
Get the latest release for your platform: