Self-signed TLS

Generate self-signed TLS certificates automatically for development and testing environments.

Automatic generation

Generate a self-signed certificate for a specific hostname using --auto-tls-host:

sidekick --auto-tls-host server.example.com \
  --health-path=/ready \
  http://backend1:8000 http://backend2:8000

Sidekick generates an ECDSA P-256 key pair and self-signed certificate valid for 365 days. The certificate includes the specified hostname in the Subject Alternative Name field. Sidekick displays the certificate fingerprint and public key hash at startup.

Multiple hostnames

Specify multiple hostnames or IP addresses in a comma-separated list:

sidekick --auto-tls-host "server.example.com,192.0.2.10,server2.example.com" \
  --health-path=/ready \
  http://backend1:8000

The generated certificate includes all specified names and addresses. Clients can connect using any of the listed hostnames or IPs.

Certificate details

The generated certificate uses these properties:

Key type: ECDSA with P-256 curve
Validity: 365 days from generation
Self-signed: Certificate acts as its own CA
Extended key usage: Server authentication

The certificate and private key exist only in memory. Sidekick does not write certificate files to disk. Restarting Sidekick generates a new certificate with a different fingerprint.

Production use

Self-signed certificates are only suitable for development and testing environments. Production deployments should use certificates signed by a trusted certificate authority. Clients connecting to self-signed certificates must explicitly trust the certificate or disable verification.

Use --cert and --key with certificates from a proper CA for production environments requiring trusted certificates.