How to use self-signed certificates?

If you want to use https in your local dev setup and you don't want to generate public certificates with Let'sEncrypt or something similar.
NEVER use self-signed certificates in production unless you absolutely know what you are doing!

Entities you should be aware of:

private CA - a private certificate authority that can generate TLS certificates. Since this is not a publicly recognized CA, its certificates will not be respected by (almost) anyone - but you can teach OPAL to respect that CA's certificates.
localserver - a local program running with https:// signed with a certificate that was generated by the "private" CA.
opal-client - can be directed to fetch data from localserver, can be told to respect the private CA's certificates

openssl genrsa -des3 -out ca-private-key.key 2048

openssl req -x509 -new -nodes -key ca-private-key.key -sha256 -days 365 -out ca-public.crt

openssl genrsa -out localserver-private.key 2048

Generate a certificate request signed by the "localserver" private key. NOTE: you must specify the FQDN to be the host of the (self-signed) https service, e.g: localhost

openssl req -new -key localserver-private.key -out localserver-request.csr

Your "private" CA self-signs on the certificate request and generates a valid self-signed certificate

openssl x509 -req -in localserver-request.csr -CA ca-public.crt -CAkey ca-private-key.key -CAcreateserial -out localserver-cert.crt -days 365 -sha256

uvicorn myservice.main:app --reload --port=8000 --ssl-keyfile=localserver-private.key --ssl-certfile=localserver-cert.crt

Run OPAL server with:

OPAL_DATA_CONFIG_SOURCES='{"external_source_url":"https://localhost:8000/opal/data/config"}'

Run OPAL client with:

OPAL_CLIENT_SELF_SIGNED_CERTIFICATES_ALLOWED=true
OPAL_CLIENT_SSL_CONTEXT_TRUSTED_CA_FILE=/path/to/ca-public.crt

If you run OPAL client with docker - don't forget to mount /path/to/ca-public.crt on a docker volume.