I figure you could create the CA, have your browser trust it, create and sign your localhost cert, and then nuke the CA private key so no other carts may be signed.

It'd be annoying if you need to make a new localhost certificate, but totally manageable.