HTTPS local development: Should the private key be put in source control ? Should it be password protected?

Question

I am running a local HTTPS server, using a self signed certificate. As much as i understand, there are 2 parts to it, one is the actual certificate, and the other is the private key required by the server to set up https.

Currently, both my certificate and private key are in a folder inside the server root, and both the file paths are hardcoded in server configuration. These are also pushed to source control, so anybody who has access to source control would be able to read both the certificate file as well as the private key file. This does not sound like a good idea. Is it ok to have such a setup in a development environment?

Would it be a good practice to keep the private key outside the web root and only pass the path to the private key at runtime?

Would it be a good practice to password protect the private key and then push the private key to source control?

Answer 1

A private key that means something from a security standpoint shouldn't go in source control.

A private key that's only used for non-sensitive data in local development is fine to go in source control. After all, it's fairly common practice to do local development without HTTPS at all. Someone on your internal network snooping and finding out that "Kermit the Frog" wrote a blog article titled "Blah blah blah testing one two three" isn't a problem.