Third-Party Signed SSL Certificate for localhost or 127.0.0.1?

Without divulging TOO much information, I need to setup a web server system that is intended to be used by end users all over the internet.

the use case is such that:

end users are (usually) in their homes behind their local firewalls when connecting to the system.
The system consists of a remote server hosted by us, strictly over https (using SSL)
The authorization mechanism requires user account self-creation on the remote server which, upon successful account creation, will then require a piece of software to be downloaded and installed to the end users' computer. This software contains, among other things, a local webserver.
This "local" webserver must also only allow https connections to the user's browser.

Since the distributed software will be a unique web server on every individual users' machine, I'm unsure how or even if it is possible, to get a THIRD PARTY SIGNED SSL certificate that won't cause trustworthiness errors when the user connects to it via the web browser. Of course it can use self-signed SSL certs but the idea is to avoid the browser warnings so that the end users will implicitly "trust" data coming from their own application running its webserver over SSL.

Is this possible?

Solution

localhost

You will never be issued a proper https cert for localhost. It is strictly forbidden. Because reasons.

In short:

Misconfigured devices actually exist, in the wild, that wait for lookups before resolving localhost from /etc/hosts
If a router defines localhost.foo.local it may cause localhost to resolve incorrectly (you've probably seen this class of error before)

You can create a root certificate and then create a so-called "self-signed" certificate, signed by the root ca you created. You'll still get the ugly warning screen, but it'll work.

See https://coolaj86.com/articles/how-to-create-a-csr-for-https-tls-ssl-rsa-pems/

2023 Update: caddy

The solutions below still apply, but caddy can make them even easier.

It can create root certificates that plug into your OS keychain, and there's a DuckDNS plugin so you could have public certs on a public or private IP via DNS validation, etc.

localhost.YOURSITE.com (points to 127.0.0.1)

In lieu of actual localhost certs, I do what Eugene suggests - create a 127.0.0.1 record on a public domain.

You can get free HTTPS certificates for localhost.YOURSITE.com via Let's Encrypt via https://greenlock.domains. Just choose the DNS option instead of the HTTP File Upload option

Point your localhost.MY-SLD.MY-TLD to 127.0.0.1

Purchase a *.localhost.example.com cert and issue each installation a secret xyz.localhost.example.com (and include it in the public suffix list to prevent attacks on example.com)
Use a greenlock-enabled app to generate such certificates on the fly (through https://letsencrypt.org) directly on the client (or pass them to the client)

If you do not get included in the PSL note that:

sessions, localstorage, indexeddb, etc are shared by domain
changing the port does not change their sharedness

Be Your Own Root Certificate

Update: with things like greenlock that use ACME / Let's Encrypt, this is no longer particularly relevant.

This is probably a really bad idea because we don't want users becoming accustomed to installing Root CAs willy nilly (and we know how that turned out for Lenovo), but for corporate / cloned machines it may be a reasonable low-budget option.