Passkey registration breaks after moving off localhost..
A user reports that passkey registration using WebAuthn works on localhost but breaks when moving to a custom local domain with a self-signed TLS certificate. The error 'NotAllowedError: WebAuthn is not supported on sites with TLS certificate errors' occurs, indicating that the self-signed certificate is untrusted. The user also notes confusion about the relying party ID (rp_id) and origin settings, as including the port in rp_id is likely incorrect but seems to allow registration. This issue appears related to development environment constraints rather than a direct security vulnerability.
AI Analysis
Technical Summary
This issue involves passkey registration failure when transitioning from localhost to a custom local domain using WebAuthn. The failure is caused by the browser rejecting the self-signed TLS certificate, which is required for secure WebAuthn operations. The user observes that including the port in the relying party ID (rp_id) allows registration, though this is against WebAuthn specifications. The root cause is the untrusted self-signed certificate and possibly incorrect rp_id/origin configuration during development.
Potential Impact
The impact is limited to development and testing environments where self-signed certificates are used. It prevents successful passkey registration due to browser security restrictions on TLS certificate trust. There is no indication of a security vulnerability or exploit in production environments. This is a functional issue affecting developer experience rather than a security threat.
Mitigation Recommendations
Use a valid, trusted TLS certificate for the domain to avoid certificate errors during passkey registration. Avoid including the port number in the relying party ID (rp_id), as this is against WebAuthn standards. For local development, consider using tools that provide trusted local certificates (e.g., mkcert) or configure browsers to trust the self-signed certificate explicitly. No official patch is applicable since this is a configuration and environment issue.
Passkey registration breaks after moving off localhost..
Description
A user reports that passkey registration using WebAuthn works on localhost but breaks when moving to a custom local domain with a self-signed TLS certificate. The error 'NotAllowedError: WebAuthn is not supported on sites with TLS certificate errors' occurs, indicating that the self-signed certificate is untrusted. The user also notes confusion about the relying party ID (rp_id) and origin settings, as including the port in rp_id is likely incorrect but seems to allow registration. This issue appears related to development environment constraints rather than a direct security vulnerability.
Reddit Discussion
Was prototyping passkeys with @ simplewebauthn and everything worked on localhost.
Moved the app to a real domain on the same port (https://testsite.com:3000, added it to my hosts file), and now navigator.credentials.create() throws:
NotAllowedError: WebAuthn is not supported on sites with TLS certificate errors.
The cert is self-signed (openssl, subjectAltName=DNS:testsite.com, serverAuth, etc.). On the server rp_id = testsite.com and rp_origin = https://testsite.com:3000.
Weirdly it does register if I leave the port on the rp_id, which I'm pretty sure is wrong.
Is this purely the self-signed cert being untrusted, or am I also doing the rp_id/origin wrong?
What's the clean way to get passkey registration working on a custom local domain?
Links cited in this discussion
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
This issue involves passkey registration failure when transitioning from localhost to a custom local domain using WebAuthn. The failure is caused by the browser rejecting the self-signed TLS certificate, which is required for secure WebAuthn operations. The user observes that including the port in the relying party ID (rp_id) allows registration, though this is against WebAuthn specifications. The root cause is the untrusted self-signed certificate and possibly incorrect rp_id/origin configuration during development.
Potential Impact
The impact is limited to development and testing environments where self-signed certificates are used. It prevents successful passkey registration due to browser security restrictions on TLS certificate trust. There is no indication of a security vulnerability or exploit in production environments. This is a functional issue affecting developer experience rather than a security threat.
Mitigation Recommendations
Use a valid, trusted TLS certificate for the domain to avoid certificate errors during passkey registration. Avoid including the port number in the relying party ID (rp_id), as this is against WebAuthn standards. For local development, consider using tools that provide trusted local certificates (e.g., mkcert) or configure browsers to trust the self-signed certificate explicitly. No official patch is applicable since this is a configuration and environment issue.
Technical Details
- Source Type
- Subreddit
- cybersecurity
- Reddit Score
- 0
- Discussion Level
- minimal
- Content Source
- reddit_link_post
- Post Type
- link
- Domain
- null
- Newsworthiness Assessment
- {"score":27,"reasons":["external_link","established_author","very_recent"],"isNewsworthy":true,"foundNewsworthy":[],"foundNonNewsworthy":[]}
- Has External Source
- true
- Trusted Domain
- false
Threat ID: 6a1feddde29bf47b50929ced
Added to database: 6/3/2026, 9:03:25 AM
Last enriched: 6/3/2026, 9:03:29 AM
Last updated: 6/4/2026, 6:05:38 AM
Views: 15
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.