On 3/8/20 9:05 am, Alexander CarĂ´t wrote: >> I repeat: whatever you do, don't ship a private key. > Allright - will consider alternative ideas. Consider generating your own root CA certificate and asking your users to install that in their browser. Then sign the site certificate (for a non-existent, non-registerable domain) with that. Hamish