How to Create Your Own SSL Certificate Authority for Local HTTPS Development

In 2018 Google started advocating that sites adopt HTTPS encryption, by marking sites not using an SSL certificate as “not secure” in their Chrome browser. This was widely accepted as a good idea, as securing web traffic protects both the site owner and their customers.

While Let’s Encrypt and its API has made it wonderfully easy for anyone to generate and install SSL certificates on their servers, it does little to help developers with HTTPS in their development environments. Creating a local SSL certificate to serve your development sites over HTTPS can be a tricky business. Even if you do manage to generate a self-signed certificate, you still end up with browser privacy errors.

In this article, we’ll walk through creating your own certificate authority (CA) for your local servers so that you can run HTTPS sites locally without issue.

Why HTTPS Locally?
How It Works
Becoming a (Tiny) Certificate Authority
Installing Your Root Certificate
Creating CA-Signed Certificates for Your Dev Sites
Shell Script
Alternatives
Conclusion

If you prefer to learn visually, our video producer Thomas has created a video for you that outlines the steps involved in creating your own local CA. He’s also created videos that layout the process for Linux and Windows users.

Why HTTPS Locally?

Why not just use regular HTTP locally? Because if your production site is HTTPS-only and you’re developing locally on regular HTTP, your development and production environments are not as similar as they could be.

For example, my development environment for this site (and SpinupWP) runs as an Ubuntu server in a VMware virtual machine (VM) on my Mac. The production site is an Ubuntu server running on DigitalOcean with an almost identical configuration.

You definitely want your development environment to mirror production as closely as possible. When it doesn’t, you invite more issues showing up in production that didn’t show up in development. Running HTTP when your production site is HTTPS-only is definitely an unnecessary risk. Even in a situation where you can’t mirror your production environment perfectly, you’ll still want to run HTTPS locally, or you’ll be fighting with mixed content SSL warnings all day long.

If you’ve ever tried to browse to a local site via HTTPS, which doesn’t have an SSL certificate configured, you’ve probably seen the following message in Chrome:

Or the following in Firefox:

Other browsers have different messages, but the gist is the same.

One way to work around this is to switch your local WordPress development environment to something like LocalWP, DevKinsta, or even Laravel Valet which offer local SSL solutions out of the box. The downside is that this means changing your development workflow, not ideal if you are more comfortable with what you already have, especially if it already matches your production environment.

Searching for a local SSL solution online will often result in you going down the rabbit hole of self-signed certificates. However, trying to get a self-signed SSL certificate working with your local server kind of sucks if you’re not using a tool that handles it for you, which brings you back to needing to switch local development environments.

The main problem with locally self-signed certificates is that they also need to be trusted by your browser. Just setting up a local self-signed certificate isn’t enough. You end up with the same browser message, but this time with ERR_CERT_AUTHORITY_INVALID. This happens because the browser wants to check the validity of this certificate with a certificate authority, and can’t. So the solution is to become your own CA!

How It Works

To request an SSL certificate from a CA like Verisign or GoDaddy, you send them a Certificate Signing Request (CSR), and they give you an SSL certificate in return that they have signed using their root certificate and private key. All browsers have a copy (or access to a copy from the operating system) of the root certificate from the various CAs, so the browser can verify that your certificate was signed by a trusted CA.

That’s why when you generate a self-signed certificate the browser doesn’t trust it. It hasn’t been signed by a CA. The way to get around this is to generate our own root certificate and private key. We then add the root certificate to all the devices we own just once, and then all the self-signed certificates we generate will be inherently trusted.

Becoming a (Tiny) Certificate Authority

It’s kind of ridiculous how easy it is to generate the files needed to become a certificate authority. It really only takes two commands. Let’s dive into how we can do this on macOS and Linux, and then look at how it works in the Windows operating system.

Generating the Private Key and Root Certificate on macOS Monterey and Linux

As macOS and Linux are both Unix-like operating systems, the processes for generating the required files are identical.

The only real difference between the two is that on macOS you might need to install the OpenSSL command-line application. To do that, if you don’t already have it, install homebrew, which will allow you to install OpenSSL.

/bin/bash -c "$(curl -fsSL https://raw.githubusercontent.com/Homebrew/install/HEAD/install.sh)"
brew install openssl

The majority of Linux distros come with OpenSSL installed. If not, it can be installed via your default package manager.

Then, we can create a location to store our local certificate files. This is not a requirement, but it makes it easier to find the keys later.

mkdir ~/certs
cd ~/certs

With that set up, we’re ready to generate the private key to become a local CA:

openssl genrsa -des3 -out myCA.key 2048

OpenSSL will ask for a passphrase, which we recommend not skipping and keeping safe. The passphrase will prevent anyone who gets your private key from generating a root certificate of their own. The output should look like this:

Generating RSA private key, 2048 bit long modulus
.................................................................+++
.....................................+++
e is 65537 (0x10001)
Enter pass phrase for myCA.key:
Verifying - Enter pass phrase for myCA.key:

Next, we generate a root certificate:

openssl req -x509 -new -nodes -key myCA.key -sha256 -days 1825 -out myCA.pem

You will be prompted for the passphrase of the private key you just chose and a bunch of questions. The answers to those questions aren’t that important. They show up when looking at the certificate, which you will almost never do. I suggest making the Common Name something that you’ll recognize as your root certificate in a list of other certificates. That’s really the only thing that matters.

Enter pass phrase for myCA.key:
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]:US
State or Province Name (full name) [Some-State]: Springfield State
Locality Name (eg, city) []:Springfield
Organization Name (eg, company) [Internet Widgits Pty Ltd]:Hellfish Media
Organizational Unit Name (eg, section) []:7G
Common Name (e.g. server FQDN or YOUR name) []:Hellfish Media
Email Address []:[email protected]

You should now have two files: myCA.key (your private key) and myCA.pem (your root certificate).

🎉 Congratulations, you’re now a CA. Sort of.

Generating the Private Key and Root Certificate on Windows

On Windows, it’s also possible to configure your environment to run the openssl commands. You just need some additional tools.

If you are running Windows Subsystem for Linux (WSL) then it’s as if you’re running Linux and the commands will work exactly the same. If you’re using Windows with something like WampServer or XAMPP you’ll need a way to install the OpenSSL command-line utility in Windows. The most straightforward way to do this is to install Git for Windows, which comes bundled with OpenSSL and the Git Bash utility.

Once you open a Git Bash window, you can run the same commands as for macOS or Linux, with one small difference. Due to how some console applications (specifically OpenSSL) work in Git Bash, you need to prefix all openssl commands using the winpty utility.

So for example, the following command is how to generate the private key to become a local CA in Git Bash:

winpty openssl genrsa -des3 -out myCA.key 2048

The other small differences are the file paths in Git Bash. When you open a Git Bash instance, the home directory in the terminal is mapped to your User directory in Windows, but with a Linux-like directory structure. So if your User directory is located at c:\Users\Hellfish in Windows, your Git Bash home directory will be c/Users/Hellfish.

Installing Your Root Certificate

To become a real CA, you need to get your root certificate on all the devices in the world.

But we don’t need to become a real CA. We just need to be a CA for the devices you own. We need to add the root certificate to any laptops, desktops, tablets, and phones that access your HTTPS sites. This can be a bit of a pain, but the good news is that we only have to do it once. Our root certificate will be good until it expires.

Adding the Root Certificate to macOS Monterey Keychain

Via the CLI

sudo security add-trusted-cert -d -r trustRoot -k "/Library/Keychains/System.keychain" myCA.pem

Via the macOS Keychain App

Open the macOS Keychain app
If required, make sure you’ve selected the System Keychain (older macOS versions default to this keychain)
Go to File > Import Items…
Select your private key file (i.e. myCA.pem)
Search for whatever you answered as the “Common Name” name above
Double-click on your root certificate in the list
Expand the Trust section
Change the “When using this certificate:” select box to Always Trust
Close the certificate window
During the process it may ask you to enter your password (or scan your finger), do that
🎉 Celebrate!

Adding the Root Certificate to Linux

There are so many Linux distributions, but Ubuntu is by far the most popular and it’s what we used when we built SpinupWP. Therefore these instructions will cover Ubuntu.

If it isn’t already installed, install the ca-certificates package. sudo apt-get install -y ca-certificates
Copy the myCA.pem file to the /usr/local/share/ca-certificates directory as a myCA.crt file. sudo cp ~/certs/myCA.pem /usr/local/share/ca-certificates/myCA.crt
Update the certificate store. sudo update-ca-certificates

You can test that the certificate has been installed by running the following command:

awk -v cmd='openssl x509 -noout -subject' '/BEGIN/{close(cmd)};{print | cmd}' < /etc/ssl/certs/ca-certificates.crt | grep Hellfish

If it’s installed correctly, you’ll see the details of the root certificate.

subject=C = US, ST = Springfield State, L = Springfield, O = Hellfish Media, OU = 7G, CN = Hellfish Media, emailAddress = [email protected]

Adding the Root Certificate to Windows 10

Open the “Microsoft Management Console” by using the Windows + R keyboard combination, typing mmc and clicking Open
Go to File > Add/Remove Snap-in
Click Certificates and Add
Select Computer Account and click Next
Select Local Computer then click Finish
Click OK to go back to the MMC window
Double-click Certificates (local computer) to expand the view
Select Trusted Root Certification Authorities, right-click on Certificates in the middle column under “Object Type” and select All Tasks then Import
Click Next then Browse. Change the certificate extension dropdown next to the filename field to All Files (*.*) and locate the myCA.pem file, click Open, then Next
Select Place all certificates in the following store. “Trusted Root Certification Authorities store” is the default. Click Next then click Finish to complete the wizard.

If everything went according to plan, you should see your CA certificate listed under Trusted Root Certification Authorities > Certificates.

Adding the Root Certificate to iOS 14

If you use something like ngrok to browse to your local development sites on mobile devices, you might need to add the root certificate to these devices. On iOS devices you can do so fairly easily by following these steps:

Email the root certificate to yourself, so you can access it on your iOS device. Make sure to use the default Mail app to access the email.
Tap on the attachment in the email on your iOS device. It will prompt you to review the profile in the Settings app.
Open the Settings app and click Profile Downloaded near the top.
Click Install in the top right, and then Install again on the Warning screen.
Once installed, hit Close and go back to the main Settings page.
Go to General > About.
Scroll to the bottom and click on Certificate Trust Settings.
Enable your root certificate under “ENABLE FULL TRUST FOR ROOT CERTIFICATES”.

Creating CA-Signed Certificates for Your Dev Sites

Now we’re a CA on all our devices and we can sign certificates for any new dev sites that need HTTPS. First, we create a private key for the dev site. Note that we name the private key using the domain name URL of the dev site. This is not required, but it makes it easier to manage if you have multiple sites:

openssl genrsa -out hellfish.test.key 2048

Then we create a CSR:

openssl req -new -key hellfish.test.key -out hellfish.test.csr

You’ll get all the same questions as you did above and, again, your answers don’t matter. In fact, they matter even less because you won’t be looking at this certificate in a list next to others.

You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]:US
State or Province Name (full name) [Some-State]:Springfield State
Locality Name (eg, city) []:Springfield
Organization Name (eg, company) [Internet Widgits Pty Ltd]:Hellfish Media
Organizational Unit Name (eg, section) []:7G
Common Name (e.g. server FQDN or YOUR name) []:Hellfish Media
Email Address []:[email protected]

Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:

Finally, we’ll create an X509 V3 certificate extension config file, which is used to define the Subject Alternative Name (SAN) for the certificate. In our case, we’ll create a configuration file called hellfish.test.ext containing the following text:

authorityKeyIdentifier=keyid,issuer
basicConstraints=CA:FALSE
keyUsage = digitalSignature, nonRepudiation, keyEncipherment, dataEncipherment
subjectAltName = @alt_names

[alt_names]
DNS.1 = hellfish.test

We’ll be running openssl x509 because the x509 command allows us to edit certificate trust settings. In this case we’re using it to sign the certificate in conjunction with the config file, which allows us to set the Subject Alternative Name. I originally found this answer on Stack Overflow.

Now we run the command to create the certificate: using our CSR, the CA private key, the CA certificate, and the config file:

openssl x509 -req -in hellfish.test.csr -CA myCA.pem -CAkey myCA.key \
-CAcreateserial -out hellfish.test.crt -days 825 -sha256 -extfile hellfish.test.ext

We now have three files: hellfish.test.key (the private key), hellfish.test.csr (the certificate signing request, or csr file), and hellfish.test.crt (the signed certificate). We can configure local web servers to use HTTPS with the private key and the signed certificate.

If you’re using MAMP Pro, version 6.0 introduced built-in SSL support. You can enable it by checking the SSL box under your selected web server.

If you prefer to use the locally signed certificate we’ve just set up, you can do this by enabling the “Expert” view, clicking on the SSL tab, and choosing your “Certificate” and “Certificate key” (private key) files.

If you’re running a Linux or Windows environment which uses Nginx you can use the instructions in our Install WordPress on Ubuntu 20.04 series.

If you’re on Linux or Windows using Apache, you’ll need to enable the Apache SSL mod, and configure an Apache virtual host for port 443 for the local site. It will require you to add the SSLEngine, SSLCertificateFile, and SSLCertificateKeyFile directives, and point the last two to the certificate and key file you just created.

<VirtualHost *:443>
   ServerName hellfish.test
   DocumentRoot /var/www/hellfish-test

   SSLEngine on
   SSLCertificateFile /path/to/certs/hellfish.test.crt
   SSLCertificateKeyFile /path/to/certs/hellfish.test.key
</VirtualHost>

We don’t have instructions for how to do this on Windows using IIS, because WordPress is not the easiest to configure on IIS systems.

We don’t have to create a new CA for each site. We can just repeat this last part of creating a certificate for any other dev sites.

Shell Script

To make things even speedier, here’s a handy shell script you can modify for your own purposes. It should work on macOS, Linux, or Windows via Git Bash:

#!/bin/sh

if [ "$#" -ne 1 ]
then
  echo "Usage: Must supply a domain"
  exit 1
fi

DOMAIN=$1

cd ~/certs

openssl genrsa -out $DOMAIN.key 2048
openssl req -new -key $DOMAIN.key -out $DOMAIN.csr

cat > $DOMAIN.ext << EOF
authorityKeyIdentifier=keyid,issuer
basicConstraints=CA:FALSE
keyUsage = digitalSignature, nonRepudiation, keyEncipherment, dataEncipherment
subjectAltName = @alt_names
[alt_names]
DNS.1 = $DOMAIN
EOF

openssl x509 -req -in $DOMAIN.csr -CA ../myCA.pem -CAkey ../myCA.key -CAcreateserial \
-out $DOMAIN.crt -days 825 -sha256 -extfile $DOMAIN.ext

Alternatives

An alternative to look into for creating locally trusted SSL certificates is mkcert (thanks to the folks in the comments for pointing this out). If you don’t mind using one of the various package managers listed in mkcert’s readme file to install the tool, it’s a solid alternative for creating locally trusted SSL certificates. The downside is that it only installs the root CA certificate for you on your local machine and creates locally signed SSL certificates, you still need to configure the certificates manually for each local site.

Conclusion

So there you have it, how to become your own local certificate authority to sign your local SSL certificates and use HTTPS on your local sites. Hopefully, this will eliminate the dreaded “Your connection is not private” message for you on your local development websites.

Have you tried setting up a CA of your own? Do you work locally with HTTPS? Let me know in the comments below.

This entry was posted in WP Migrate DB Pro, Workflow and tagged SSL, HTTPS, Development Tips, Development Environment, MAMP, Certificate Authority, OpenSSL.

.replybox-fallback, .replybox-fallback ul { list-style: none; }

Anton VS says:

July 27, 2017 at 8:32 pm

Is there any reason to set up an SSL certificate / HTTPS for local development?

Henrique Mattos says:

July 28, 2017 at 5:08 am

Developers have been editing computer hosts file to redirect the original domain (say example.com) to localhost (say 127.0.0.1) so they can use the fully qualified URI/URL in the development. It’s a good way to develop WordPress themes and plugins and then upload those to the production webserver not needing to script into the DB to rewrite permalinks, attachment URLs, etc… Also, having HTTPS is mandatory for some WooCommerce plugins or some XSS integration and therefore it’s nice to have it in your dev environment. 🙂

Reply

Laukik Patel says:

October 4, 2017 at 8:21 am

Thank you so much @bradt

numediaweb says:

October 19, 2017 at 12:24 pm

Thanks so much! I turned this into an Ansible role which allows me to generate unlimited hosts with each one a unique cert!

gmannz says:

November 3, 2017 at 12:35 am

Thanks Brad, this was a good concise article and worked well. I secured my WIFI AirOS nano WIFI AP’s with a new certificate, as well for my lab I will be applying these to some other devices. Keep up the good work. Greg

Clément Guinet says:

January 4, 2018 at 12:06 pm

Thanks for this very useful post 🙂

Tanner says:

January 8, 2018 at 1:59 am

Genius! I used this tutorial to help with local Traefik & docker. Thanks for making it rather easy to follow.

Dev says:

February 14, 2018 at 3:40 am

Is it possible to issue a Wildcard? I’ve tried setting common name as *.mydoman.com but I get ERR_CERT_COMMON_NAME_INVALID from chrome. BTW many thanks for the useful article!

Thomas Bacon says:

August 26, 2018 at 12:36 pm

Yes it is, but as mentioned in this article: https://deliciousbrains.com/https-locally-without-browser-privacy-errors/ setting the common name is insufficient, you have to set it in the SAN Config file. For example: DNS.1 = *.domain.devAs a matter of fact I set this up so that I can use it for the purpose of making it super easy to setup local HTTPS. I just use the format of my-site.domain.dev, my-site-2.domain.dev, etc…

Reply

Benjamín Burgos says:

March 31, 2018 at 5:37 am

Geat article. Works like a charm. Thanks a lot!

EugeneX says:

April 12, 2018 at 3:45 am

Thanks a lot! Very nice post!

dobes_vandermeer says:

May 18, 2018 at 3:12 pm

I put this all together in a shell script you can run: https://gist.github.com/dobesv/13d4cb3cbd0fc4710fa55f89d1ef69be

Martin Reinke says:

June 12, 2018 at 11:23 am

I tried to get this working on Windows 10 the last two days. I could see, that the public key and the serial no in the certificate received by the browser was different from key and serial no produced by openssl. Only Firefox received the right key. In the end I found out, that the AVG Online Shield had manipulated part of the certificate and made it useless that way. After switching off the SSL trafic scan in AVG everything worked as it should. So keep your AV-Software in mind, when it is not working.

Keno Clayton says:

July 27, 2018 at 1:52 am

Thank you so much. After so many attempts with other articles I finally found success with yours 🙂 https://uploads.disquscdn.com/images/8fc70b87890c60e3e36246771017cd7b7528bfe708541dd26f8642107c9a4745.png

Enk says:

December 12, 2018 at 12:44 pm

Hello, can you tell me how you did it. I have wasted many hours trying to get by the NET::ERR_CERT_COMMON_NAME_INVALID on Chrome. I access my local at https://192.168.7.13/myapp and I set the DNS1 = myapp.domain.com but it doesn’t seems to work. Thanks.

Reply
- Keno Clayton says:
  
  December 27, 2018 at 5:17 pm
  
  Also why did you set your DNS1 to be myapp.domain.com? Your local server is 192.168.7.13 so I’d expect that to be your DNS1. Correct me if I’m mistaken.
  
  Reply
- Keno Clayton says:
  
  December 27, 2018 at 10:19 pm
  
  Hi, just saw your reply. All I did was follow the steps in the tutorial. Make sure you follow this part as it deals with defining the Subject Alternative Name (SAN) which is needed to fix the error you’re having. Let me know how it goes.
  
  Reply

Clinton Brits says:

September 23, 2018 at 11:09 am

Can you recommend an article on the basics of ssl itself? I have always used a self signed cert to to my sites and just ignore the warnings. I now want to implement a windows tcp app that uses ssl. There is provision for key file, cert file, and root cert. From your article i can get all 3 but im confused as to what goes where? Does the cert and key reside on the server side application and the root cert in the client application? On one article they say a normal cert authority’s root cert is added to new releases of browsers and then they say they are closely guarded?

Felix Ortego Perez says:

October 24, 2018 at 11:55 am

thanks a lot for the explanation

kingkool68 says:

October 25, 2018 at 10:07 pm

I see others have shared shell scripts that incorporates the commands in this article. So here’s my take https://github.com/kingkool68/generate-ssl-certs-for-local-development If you’re on a Mac it automatically copies the root certificate to Keychain saving you a step.

Lakshmeepathi says:

October 31, 2018 at 3:01 am

Thanks. Wonderful article. I have a question. I was under the impression that only the private key of the CA is used to sign ( sign our CSR / Public Key ). But here both the Private Key of CA and CA’s Public Certificate ( Root Certificate ) is used. Can it be further explained why both are needed in a simple manner or can it be understood only with the knowledge of cryptography ? Also why are you loading Private Key into KeyChain Access – in the article "Select your private key file (i.e. myCA.pem)"? Did you actually mean the CA’s certificate file ?

Lakshmeepathi says:

October 31, 2018 at 7:19 am

Shouldn’t the mentioning of SAN be done at the step of CSR creation as that seems more intuitive and appropriate – since CSR is the "request" shouldn’t it mention for what CN/SAN it wants the signature for?

Ryan Liu says:

November 12, 2018 at 7:57 am

Note that once you create a serial using the CAcreateserial you can use the serial again: openssl x509 -req -in dev.mergebot.com -CA myCA.pem -CAkey myCA.key -CAserial myCA.srl -days 1825 -extfile dev.mergebot.com.ext -out dev.mergebot.com.crt

nomailme says:

December 3, 2018 at 5:56 am

Have been there, so I’ve created small test CA project: https://github.com/nomailme/TestAuthority It allows to issue test SSL certificates via REST API (or Swagger UI if you prefer). You can compile it and run in Win/Linux or as I prefer docker container

Enk says:

December 12, 2018 at 6:01 pm

https://uploads.disquscdn.com/images/12debafac146b971b4e188f60fcc873ea6c0a4fbdae967eef8e451d7a0c8d34b.png I am not sure what I did wrong, but I’ve tried almost everything and still got the NET::ERR_CERT_COMMON_NAME_INVALID error with the message "This server could not prove that it is 192.168.7.101; its security certificate is from kb.dci.com". My .ext is exactly the same as the article with the following DNS settings: DNS.1 = kb.dci.com DNS.2 = kb.dci.com.192.168.7.101.xip.io I am on CentOS 7 and my hostname is kb.dci.com. I create all the keys and certs in a custom directory (/etc/httpd/pki) and updated the ssl.cnf accordingly. Any suggestion would be appreciated. Thanks!

Tony Pedley says:

January 30, 2019 at 5:10 am

Nice article. Just to add a comment or two. It would be nice to add the SAN to the CSR, but there does not seem to be a valid way of doing it, so it has to go into the CA request. The biggest reason for us to become a CA, is that we are talking to embedded controllers that do not have a FQDN, only IP addresses. Regular CA’s will not generate a certificate for anything other than a domain name. As the CA we can generate a SAN with multiple IP addresses (IE for some reason demands the IP addresses to be DNS values, heh ho). Biggest issue as acting as your own CA, is security and certificate management i.s managing CRL, however for a local intranet, these area manageable

themaster says:

February 4, 2019 at 12:40 am

In Case I need to create a signed certificate for my locahost:port. Would I have to change the openssl genrsa -out dev.mergebot.com.key 2048 to openssl genrsa -out dev.localhost:8800.key 2048 ??

MikeSchinkel says:

April 25, 2019 at 6:19 am

ports don’t matter fyi it’s just the parent dns record

Reply

Bobby Gecko says:

February 27, 2019 at 2:49 pm

I recently attempted this setup and tried the steps outlined in both this post as well as numerous others – alas I had no success. I also tried TinyCA and RCA but both were really outdated and pretty much unusable. It took me a while but I finally found a reasonably well-made (and free) PKI management program (multi-platform) that uses a web interface so it’s considerably easier to use than openSSL via the command line (from what I understand however, the application does actually use openSSL underneath – so you could think of it as a front-end for openSSL). I did a breakdown on TLS basics as well as some tips for using the aforementioned tool on my blog at the link below. I hope this is as helpful for others as it was for me, now I have to go: there’s a moth in the room that’s about to get it… https://www.tech-jungle.com/setup-your-own-tls-certificate-authority-in-lieu-of-self-signed-certificates/

arvydasj says:

March 12, 2019 at 6:44 am

Important: if you want your CA certificate to work on Android properly, then add the following options when generating CA: openssl req -x509 -new -nodes -key myCA.key -sha256 -days 1825 -out myCA.pem -reqexts v3_req -extensions v3_ca

Phillipp says:

April 2, 2019 at 4:45 am

When I import it on android, it shows up as an user certificate and not as a CA certificate. It also doesn’t show up under trusted access. Any tips on how to get it working?

Abidul Ramadan says:

November 7, 2019 at 1:54 am

you need to add the CA one (first one you generate) not the second one.

Reply
Abidul Ramadan says:

November 7, 2019 at 1:54 am

you need to add the CA one (first one you generate) not the second one.

Reply

B.R. says:

April 9, 2019 at 12:51 pm

Perfect! Thank you so much!

Elliott Vernon says:

April 27, 2019 at 1:43 pm

I have managed to create my own TLS certs using bare, arcane OpenSSL commands, with much help from https://jamielinux.com/docs/openssl-certificate-authority/. It’s pretty torturous. I read in the OpenSSL documentation that these commands were never intended as much more than a proof-of-concept, but people seem to be using them for real because HTTPS everywhere is the future. LetsEncrypt is great but you can’t use it on a private intranet, so… do we have much other choice?

Lyas Spiehler says:

May 2, 2019 at 4:41 am

https://certificatetools.com makes this very simple and generates the OpenSSL commands you can use to do it offline.

Firmwaree says:

June 4, 2019 at 12:56 pm

Hello, thansk for this tuto ! i created a self signed certificate for my internal load balancer ! i try to add it to aws acm but i still get this error "An error occurred (ValidationException) when calling the ImportCertificate operation: com.amazonaws.pki.acm.exceptions.external.ValidationException: Provided certificate is not a valid self signed. Please provide either a valid self-signed certificate or certificate chain." even if i convert the cert and his key in pem format i still get the same error ! now i believe because it signed with my authority i need to provide a certificate chain ! How can i do it ? thanks

Anders Rørvik says:

October 8, 2019 at 10:58 am

Thanks so much for the tutorial Brad!

haptomatic says:

October 9, 2019 at 11:05 pm

Thanks for this guide, it’s been a huge help!! Everything was working fine until I formatted the Mac I generated everything from today. All I’ve done since then was import and trust the Root CA again in Keychain Access. Now when I visit something in Chrome, it will definitely find the certificate, but it says it’s been revoked. It’s weird though, because I remember specifically trusting the Root CA on an entirely different computer than the one I generated it from, in order to test it originally, and everything was fine. Will have to investigate that later to see if it still works. https://ibb.co/yh76z2B

Allen Bradley says:

February 16, 2020 at 4:10 am

Thanks for the tutorial. I used the instructions to create a private key, cert, and ca to connect from Celery container to Redis container as required in hereBut I have problems to connect. Can I use certs that were generated in one environment in another environment? For example, I created the certs in localhost. Can I use them to connect from a Celery docker container to a Redis docker container? My specific question with more details is posted hereThanks

joshua ashley says:

February 28, 2020 at 2:38 pm

Great article my man

Hike Nalbandyan says:

March 17, 2020 at 4:02 am

This was super helpfull!! Thank you

nydame says:

May 11, 2020 at 6:17 am

Nice article. Next question, is there any way to distribute CA’s root cert to all windows machine joining the same domain? So we don’t have to install the root CA’s cert manually one-by-one.

jvanpelt says:

June 23, 2020 at 5:46 am

I just use ngrok, I know you can roll your own but it just works and that’s worth paying the annual fee for. Their tool that lets you inspect all traffic that goes through it is also great.

Hannes says:

November 4, 2020 at 6:28 pm

just noticed that .srl file in the directory where i signed my Certificate Signing Request (CSR). the web told me this file contains a serial key that i need to provide to any other certificate signed with the same Certificate Authority (CA). i should do that with --CAserial .srl. is that correct? if so, it might be nice to add. thanks you for that well guided tutorial! hannes source: http://www.gutizz.com/openssl-creates-ca-serial-file/

Ross McKay says:

December 12, 2020 at 6:43 pm

This is something that I’ve been doing for ages, but when I mentioned it on a Slack channel a security expert told me how this could be used to MITM attack me if the CA cert keys were stolen. Pretty low risk, but huge impact if it happened — say hello to successful expert phishing attacks. Apparently the way to fix this is by adding Name Constraints to the CA cert, restricting the domains that it can apply to. Here’s two discussions on how. https://security.stackexchange.com/a/130674/218836 https://systemoverlord.com/2020/06/14/private-ca-with-x-509-name-constraints.html

Daniel Seuffer says:

December 28, 2020 at 1:31 pm

Finally my local certificates are working again. Thank you very much for this great post. I got stuck for some hours and walked through 4 other explanations before i ended up here. This morning i’ve encountered some cors issues because of cross domain session/cookie usage and so i had to solve my local ssl issues before i can go on. Here you can find my email (https://github.com/authanram), if you send me your paypal addy a donation link smth. similar, i will send you a few bucks. Thanks a lot.

drewrunolfsson says:

January 14, 2021 at 11:43 am

Thanks Bro , Recently added SSL on Client site https://migweldertech.com , You save my time.

Mehmet Gültekin says:

June 24, 2021 at 5:27 am

Awesome. Thank you.

Mohammad Hasan Mia says:

July 7, 2021 at 4:28 am

Does anyone know how to generate self signed root certificate on Win 10 for Xaomi router using openssl ( I would like to send all traffic using ssl to router )

catalin detest says:

October 2, 2021 at 7:37 pm

Exactly awesome.

Volkan Kaban says:

November 3, 2021 at 1:54 pm

Do you prefer to install SSL your way or to use mkcert? Somehow we are sharing our information with 3rd party. When we pay for SSL we are comfortable because it’s business. Why Firefox or chrome it’s not providing free local SSL for developers? Because nothing it’s free?

Juan Mamani says:

November 29, 2021 at 11:57 am

Really useful! Thanks for sharing.

Lior Talmor says:

December 5, 2021 at 6:43 pm

I’m using devilbox for my local development. It’s absolutely perfect and it also takes care of the local ssl certificate / https local domain. There’s an article talking about it as well on the Delicious Brains blog 🙂 , you could list it as an alternative and link to the post 😉

Jonathan says:

January 24, 2022 at 6:15 am

Thanks for the info, we’ve updated the section on installing the root certificate on Ubuntu.

A Mobile Way says:

April 19, 2022 at 1:57 pm

Hi, In the final third step I tried to run openssl x509 -req -in localhost.csr -CA myCA.pem -CAkey myCA.key -CAcreateserial -out localhost.crt -days 825 -sha256 -extfile localhost.ext on my Mac and it gave an error – unknown option -CAcreateserial yet it also listed – usage: x509 args with all options including -req – input is a certificate request, sign and output. -CA arg – set the CA certificate, must be PEM format. -CAkey arg – set the CA key, must be PEM format missing, it is assumed to be in the CA file. -CAcreateserial – create serial number file if it does not exist -CAserial arg – serial file -set_serial – serial number to use -text – print the certificate in text form So what could be wrong?… cheers

Matthew Bowen says:

April 29, 2022 at 4:07 pm

Thanks so much! This guide was incredibly helpful.

rosario moggia says:

May 11, 2022 at 11:03 am

Hi. Your tutorial is very interested. I followed him. But when I connect to the Apache webserver, it tells me that the certificate is not valid because it cannot contact the CA

Ross Moore says:

May 20, 2022 at 5:29 pm

When I follow the steps in this article I am able to create all necessary certificates. I have added the Root certificate to the Trusted Roots store. However, when I use openssl to combine the public and private keys to a pfx, and then import that pfx to an IIS server, I get the error of Err_cert_authority_invalid. I used this command: openssl pkcs12 -export -out certificate.pfx -inkey privateKey.key -in certificate.pem. Do I also need to add the private root certificate in the pfx? And if so, how do I do that?

Deepak Kumar says:

August 8, 2022 at 7:03 am

Getting error "Command Not Found" while typing keyUsage = digitalSignature, nonRepudiation, keyEncipherment, dataEncipherment Please help

Walt Williams says:

November 23, 2022 at 9:51 am

I followed your article but couldn’t get a local, private CA to work. I will go through it again. Perhaps I missed something.

My question is: I am trying to set up a private CA for development purposes on the same computer the browser running on. Will this need to be on be on a separate computer? Perhaps a Linux Container or Virtual-box with Debian 10? I also have a Raspberry PI 2B I could use.

Thanks in advance Walt Williams

Olakunle Oni says:

December 22, 2022 at 7:45 pm

Hello guys! Please I don’t understand how you guys did it, when adding the root certificate to Linux, I expected 2 errors and I got them. 1. This directory does not exist /usr/local/share/ca-certificates, how did you copy the cert to the directory cos I know the directory does not truly exist 2. sudo-update-ca-certificates gave me a command not found error and finally awk -v cmd=’openssl x509 -noout -subject’ ‘/BEGIN/{close(cmd)};{print | cmd}’ < /etc/ssl/certs/ca-certificates.crt | grep Livetest threw an error of /etc/ssl/certs does not exist. Please point me in the right direction. Thanks.

Andrii Tykhonov says:

December 24, 2022 at 10:35 pm

Hi! Thank you very much for the article. I found it after some experience with mkcert. Yes, mkcert is helpful, but also very helpful to understand what happens behind the curtain (in order to be able to solve an issue, if any). And the article helped me a lot. Thank you!

kuo eric says:

January 14, 2023 at 8:52 am

Thank you so much. It’s working.

Antonio Nieto García says:

January 25, 2023 at 5:20 am

Thanks a lot Brad! Very useful and well explained tutorial

Dennis Barzen says:

April 4, 2023 at 10:30 am

Great article, Brad. Thank you very much.

There is one thing I stumbled across today when I was testing a dev environment with iPhone Simulator and Safari told me that the connection was not secure. Since September 2020, certificates are allowed to be valid for a maximum of 398 days. https://support.apple.com/en-us/HT211025

WebDev says:

August 26, 2023 at 12:12 pm

"This change will not affect certificates issued from user-added or administrator-added Root CAs"

Reply

Philip Rudy says:

May 2, 2023 at 1:04 pm

For the windows tutorial, when I doble click "Certificates (local computer)" I dont’ get the following options listed in your directions I get a prompt with two options:

1) Always enabel all available extentions 2) Enable only the slected extentions

Solo90 says:

October 14, 2023 at 6:11 pm

Hi, Thanks, but what a nightmare. I spent an hour mistyping the CN/OU etc. It’s hell. Worse, the ^U does not work on Openssl.

You really need to add something along the lines of : -subj "/emailAddress=abc@example.eu/C=EU/ST=BE/L=Brussels/O=example/OU=MSS/CN=example.eu"

and also add the email somewhere with : /emailAddress=webmaster@example.com But this might now be done with subjectAltName.

P.S Why did you put in cd ~/certs. This serves no purpose other than generate an error. Maybe you could add [ -d ~/certs ] || mkdir -p ~/certs && cd ~/certs but it’s just not required.

Any way, few are masicistic enough to endlessly enter typos into openssl commands.

ramon says:

October 19, 2023 at 10:34 am

i am soooo graeful for this post it saved me so much time! I thank you! I missed the part where the site needs to be added to hosts file though.

Daniel Trelogan says:

October 22, 2023 at 2:28 pm

Great article, but on Ubuntu, update-ca-certificates activated the root cert in curl and wget, but not in my browser. To enable the new root cert in your browser:

Chromium: chrome://settings/certificates -> authorities tab -> import Firefox: Preferences -> Privacy & Security -> Certificates -> View Certificates -> Import