Hi Brian,
It is secure on localhost. Using such self-signed certs are at least as secure as the CA signed ones, since it uses the same encryption technology. The self-signed certs are just not publicly trusted by EVERYONE during a??You may add your to the browser's root certificate store, if that red sign bothers you. Maybe you could use rather tool like mkcert to create one and you may use it with the Client gateway app. Look for the jks file in app and replace it with one created by mkcert.
We use such self-signed cert mechanism for our app (quantdroid.com) in the localhost communication. Even the communication is only on localhost, and such self-signed certs are mostly used nowadays, because there are browsers like Chrome (maybe chromium based, so the Edge) that by default enforces https communication (and CORS mechanism) and it would be an extra effort for the users (~mostly developers who uses them) to start the browser in insecure mode or hack it with settings.
hope it helps,
David
