How to Create Your Own SSL Certificate Authority for Local HTTPS Development

Setting up HTTPS locally can be tricky business. Even if you do manage to wrestle self-signed certificates into submission, you still end up with browser privacy errors. In this article, we’ll walk through creating your own Certificate Authority for your local servers so that you can run HTTPS sites locally without issue.

Why HTTPS Locally?

Why not just use regular HTTP locally? Because if your production site is HTTPS-only and you’re developing locally on regular HTTP, your dev and production environments are not as similar as they could be. For example, my dev environment for this site (deliciousbrains.com) runs as an Ubuntu server in a VMware virtual machine (VM) on his Mac. The production site is an Ubuntu server running on Linode with an almost identical configuration.

You definitely want your dev environment to mirror production as closely as possible.
When it doesn’t, you invite more issues showing up in production that didn’t show up in dev. Running HTTP when your production site is HTTPS-only is definitely an unnecessary risk.

However, trying to get an SSL certificate working with your local server kind of sucks if you’re not using a tool that handles it for you like Valet.

If you’ve ever tried to run an HTTPS site locally, you’ve probably seen something like the following in Chrome:

The workaround used to be creating a self-signed certificate and using that. MAMP Pro does this for you and was my go-to for years. Unfortunately, that’s no longer possible. The modern approach is to become your own Certificate Authority (CA)!

How It Works

To request an SSL certificate from a CA like Verisign or GoDaddy, you send them a Certificate Signing Request (CSR), and they give you a certificate in return that they signed using their root certificate and private key. All browsers have a copy (or access a copy from the operating system) of Verisign’s root certificate, so the browser can verify that your certificate was signed by a trusted CA.

That’s why when you generate a self-signed certificate the browser doesn’t trust it. It’s self-signed. It hasn’t been signed by a CA. But we can generate our own root certificate and private key. We then add the root certificate to all the devices we own just once, and then all certificates that we generate and sign will be inherently trusted.

Becoming a (tiny) Certificate Authority

It’s kind of ridiculous how easy it is to generate the files needed to become a certificate authority. It only takes two commands. First, we generate our private key:

openssl genrsa -des3 -out myCA.key 2048

You will be prompted for a passphrase, which I recommend not skipping and keeping safe. The pass phrase will prevent anyone who gets your private key from generating a root certificate of their own. Output should look like this:

Generating RSA private key, 2048 bit long modulus
.................................................................+++
.....................................+++
e is 65537 (0x10001)
Enter pass phrase for myCA.key:
Verifying - Enter pass phrase for myCA.key:

Then we generate a root certificate:

openssl req -x509 -new -nodes -key myCA.key -sha256 -days 1825 -out myCA.pem

You will be prompted for the passphrase of your private key (that you just chose) and a bunch of questions. The answers to those questions aren’t that important. They show up when looking at the certificate, which you will almost never do. I suggest making the Common Name something that you’ll recognize as your root certificate in a list of other certificates. That’s really the only thing that matters.

Enter pass phrase for myCA.key:
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]:CA
State or Province Name (full name) [Some-State]:Nova Scotia
Locality Name (eg, city) []:Truro
Organization Name (eg, company) [Internet Widgits Pty Ltd]:Delicious Brains Inc
Organizational Unit Name (eg, section) []:
Common Name (e.g. server FQDN or YOUR name) []:Delicious Brains
Email Address []:noreply@deliciousbrains.com

You should now have two files: myCA.key (your private key) and myCA.pem (your root certificate).

🎉 Congratulations, you’re now a CA. Sort of.

To become a real CA, you need to get your root certificate on all the devices in the world. Let’s start with the ones you own.

Installing Your Root Certificate

We need to add the root certificate to any laptops, desktops, tablets, and phones that will be accessing your HTTPS sites. This can be a bit of a pain, but the good news is that we only have to do it once. Once our root certificate is on each device, it will be good until it expires.

Adding the Root Certificate to macOS Keychain

Via the CLI

sudo security add-trusted-cert -d -r trustRoot -k "/Library/Keychains/System.keychain" myCA.pem

Via the UI

Open the macOS Keychain app
Go to File > Import Items…
Select your private key file (i.e. myCA.pem)
Search for whatever you answered as the Common Name name above
Double click on your root certificate in the list
Expand the Trust section
Change the When using this certificate: select box to “Always Trust”
Close the certificate window
It will ask you to enter your password (or scan your finger), do that
🎉 Celebrate!

Adding the Root Certificate to iOS

If you’d like to add the root certificate to your iOS devices, you can do so fairly easily by following these steps:

Email the root certificate to yourself so you can access it on your iOS device
Click on the attachment in the email on your iOS device
Go to the settings app and click ‘Profile Downloaded’ near the top
Click install in the top right
Once installed, hit close and go back to the main Settings page
Go to “General” > “About”
Scroll to the bottom and click on “Certificate Trust Settings”
Enable your root certificate under “ENABLE FULL TRUST FOR ROOT CERTIFICATES”

Creating CA-Signed Certificates for Your Dev Sites

Now that we’re a CA on all our devices, we can sign certificates for any new dev sites that need HTTPS. First, we create a private key:

openssl genrsa -out dev.deliciousbrains.com.key 2048

Then we create a CSR:

openssl req -new -key dev.deliciousbrains.com.key -out dev.deliciousbrains.com.csr

You’ll get all the same questions as you did above and, again, your answers don’t matter. In fact, they matter even less because you won’t be looking at this certificate in a list next to others.

You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]:CA
State or Province Name (full name) [Some-State]:Nova Scotia
Locality Name (eg, city) []:Truro
Organization Name (eg, company) [Internet Widgits Pty Ltd]:Delicious Brains Inc
Organizational Unit Name (eg, section) []:
Common Name (e.g. server FQDN or YOUR name) []:Mergebot
Email Address []:noreply@mergebot.com

Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:

Next we’ll create the certificate using our CSR, the CA private key, the CA certificate, and a config file, but first we need to create that config file.

The config file is needed to define the Subject Alternative Name (SAN) extension which is defined in this section (i.e. extension) of the certificate:

The configuration file (dev.deliciousbrains.com.ext) contained the following:

authorityKeyIdentifier=keyid,issuer
basicConstraints=CA:FALSE
keyUsage = digitalSignature, nonRepudiation, keyEncipherment, dataEncipherment
subjectAltName = @alt_names

[alt_names]
DNS.1 = dev.deliciousbrains.com

We’ll be running the openssl x509 command because from what I understand, the x509 command is needed to do the signing with the root certificate and private key. I found this example config file on Stack Overflow and it seems to work.

Now we run the command to create the certificate:

openssl x509 -req -in dev.deliciousbrains.com.csr -CA myCA.pem -CAkey myCA.key -CAcreateserial \
-out dev.deliciousbrains.com.crt -days 825 -sha256 -extfile dev.deliciousbrains.com.ext

I now have three files: dev.deliciousbrains.com.key (the private key), dev.deliciousbrains.com.csr (the certificate signing request), and dev.deliciousbrains.com.crt (the signed certificate).

I can now configure my web server with the private key and the certificate. If you’re running a Linux server, you can use the instructions in our Install WordPress on Ubuntu 20.04 series If you’re using MAMP, you can select the certificate and key files using the UI:

Unfortunately MAMP (tested with version 5.7) doesn’t create SSL certs with a CA, so you’ll have to use the manual method for now.

For any other dev sites, we can just repeat this last part of creating a certificate, we don’t have to create a new CA for each site.

Shell Script

To make things even speedier, here’s a handy shell script you can modify for your own purposes:

#!/bin/sh

if [ "$#" -ne 1 ]
then
  echo "Usage: Must supply a domain"
  exit 1
fi

DOMAIN=$1

cd ~/certs

openssl genrsa -out $DOMAIN.key 2048
openssl req -new -key $DOMAIN.key -out $DOMAIN.csr

cat > $DOMAIN.ext << EOF
authorityKeyIdentifier=keyid,issuer
basicConstraints=CA:FALSE
keyUsage = digitalSignature, nonRepudiation, keyEncipherment, dataEncipherment
subjectAltName = @alt_names
[alt_names]
DNS.1 = $DOMAIN
EOF

openssl x509 -req -in $DOMAIN.csr -CA ../myCA.pem -CAkey ../myCA.key -CAcreateserial \
-out $DOMAIN.crt -days 825 -sha256 -extfile $DOMAIN.ext

Conclusion

So there you have it, how to become your own local certificate authority to sign your local SSL certificates and use HTTPS on your local sites. Hopefully this will eliminate the dreaded ‘Your connection is not private’ message for you in Chrome.

Have you tried setting up a CA of your own? Do you work locally with HTTPS? Let me know in the comments below.

This entry was posted in WP Migrate DB Pro, Workflow and tagged SSL, HTTPS, Development Tips, Development Environment, MAMP, Certificate Authority, OpenSSL.

.replybox-fallback, .replybox-fallback ul { list-style: none; }

Philip Newcomer says:

July 25, 2017 at 7:55 pm

Firefox doesn’t use the macOS keychain (it maintains its own certificate store), so any certificates you add to the Keychain won’t be recognized by Firefox. In order for the CA-signed certificates to be recognized by Firefox you’ll need to go into the Firefox settings and manually add the root certificate there.

Henrique Mattos says:

July 28, 2017 at 5:03 am

Philip, thanks for the information. I’ve not been struggling with this for weeks because I eventually gave up and ended up using Chrome for corporate websites that needs SSO. But now with this clue, I will digg more into having the CA-signed into Firefox. If you happen to have an easy, step-by-step tutorial on how to add those to FF (I’m using DevEd), I would appreciate. Anyway, already grateful. 🙂

Reply
- Dairo Barrios says:
  
  January 17, 2018 at 12:38 pm
  
  copy-paste in your firefox url about:preferences#privacy or maybe in preferences and then privacity and security,option certificades ,view certificades,option autorities and then import your root certificade with extension .pem ej: myCA.pem
  
  Reply
  - Henrique Mattos says:
    
    January 18, 2018 at 7:54 am
    
    Already tried that, but thanks! 🙂
    
    Reply
    - Jordan says:
      
      July 20, 2018 at 4:47 pm
      
      This post: https://support.mozilla.org/en-US/questions/1175296 suggests setting security.enterprise_roots.enabled to true.

Jean-Luc GARNIER says:

July 26, 2017 at 5:19 am

Hi Brad, How can I "translate" this into the Windows world? Say, using Chrome on Win10… Thanks in advance for any advice!

Sallie Goetsch says:

July 26, 2017 at 12:30 pm

That would be my question, too. There are actually WordPress developers who don’t use Macs.

Reply
- Trevor Robertson says:
  
  July 24, 2018 at 5:10 pm
  
  Totally agree @salliegoetsch:disqus and @jeanlucgarnier:disqus It is frustrating that Windows devs are in the majority but it seems so often the info for them is lacking. This especially frustrating now that Windows is super dev friendly by having full Linux support with WSL. Anyhow, using this post and others and a lot of work, I’ve post a "How To" for Windows folks here: https://creativelogic.biz/local-dev-with-https-on-windows/
  
  Reply
  - Pmizzle. says:
    
    January 3, 2019 at 8:27 am
    
    I’m having a problem with S1 – Part 3 on your tutorial. myCA.pem file is not a recognizable file for the cert manager.
    
    Reply
    - Trevor Robertson says:
      
      January 3, 2019 at 2:31 pm
      
      Hmm. Ya at first it does’t look like .pem files are allowed but I’ve updated the instructions. Be sure to change file type you are looking for to All Files (*.*). It should then let you select this file. If not, I’m not sure, sorry.
Henrique Mattos says:

July 28, 2017 at 5:05 am

Basically the command-line would be the same if you have a Git Bash or other Unix-like CLI integrated to your CMD/PowerShell. And then you’d import the CA-signed to Chrome in a regular way, since Win10 doesn’t have a Keychain to store those.

Reply

Mary-Ann says:

July 27, 2017 at 7:53 pm

Hey Brad, Thanks so much for writing this. I ran into an issue with geolocation on a local build and needed to install an SSL certificate, and just so happened to get an email with this article on the same day. Great stuff! I did run into an issue when following along. My issue was creating the config file, which I think you could have been a little bit more clear about. I would include the full text of your config file within this article since I was confused about what I had to add or change. The other issue was this code snippet: openssl x509 -req -in dev.mergebot.com.csr -CA myCA.pem -CAkey myCA.key -CAcreateserial -out dev.mergebot.com.crt -days 1825 -sha256 -extfile dev.mergebot.com.ext My issue was that the .ext at the end of your command should have been ".config" (or in my case, I just made it .cnf) It took a second to figure out but wasn’t immediately clear. However, even after successfully creating the certificate, Google was just not having it. It was giving me the error "ERR_CERT_COMMON_NAME_INVALID" and when I looked at the details, it said that I was missingSubjAltName (or something along those lines). After digging around some other articles that explained how to create a self-signed certificate, I noticed there was one little piece missing from the command: -extensions x509_ext after -sha256. After I added that little piece (and changed .ext to .cnf), I was able to successfully create the certificate, add it to MAMP, and was good to go! The final code was: openssl x509 -req -in dev.DOMAIN.com.csr -CA myCA.pem -CAkey myCA.key -CAcreateserial -out dev.DOMAIN.com.crt -days 1825 -sha256 -extensions x509_ext -extfile dev.DOMAIN.com.cnf I can also confirm that this doesn’t work for Firefox right out of the gate. Thanks again for teaching me something new! I always look forward to y’all’s articles and walkthroughs.

pbtura says:

January 19, 2018 at 5:01 pm

Thank you! I was pulling my hair out trying to figure out what I missed. Adding that -extensions did the trick.

Reply
- Palermo says:
  
  August 12, 2020 at 11:44 pm
  
  When I add the "-extensions x509_ext" as you suggest I`m getting an error: Error Loading extension section x509_ext. In the config there is nothing declared for x509. How did you solved that?
  
  Reply
  - Albert Albs says:
    
    August 19, 2020 at 9:35 am
    
    I added a section in the conf file, and i don’t get the ‘x509_ext" error msg anymore, but still having the "ERR_CERT_COMMON_NAME_INVALID" in Chrome : [ x509_ext ] subjectKeyIdentifier = hash authorityKeyIdentifier = keyid,issuer My server is listening on specific port ( not 443 ). Should i add the port in the common name during the crt gen ? ( edit : doesn’t do the trick :((( ) Thanks to all for sharing 😀 EDIT 2 : i’ve finally achieved this with this tutorial ( in french )NB : the only way i’ve found to force Chrome to reload the new certificate is to restart my Linux host (chrome://restart doesn’t reload it )
    
    Reply

Anton VS says:

July 27, 2017 at 8:32 pm

Is there any reason to set up an SSL certificate / HTTPS for local development?

Henrique Mattos says:

July 28, 2017 at 5:08 am

Developers have been editing computer hosts file to redirect the original domain (say example.com) to localhost (say 127.0.0.1) so they can use the fully qualified URI/URL in the development. It’s a good way to develop WordPress themes and plugins and then upload those to the production webserver not needing to script into the DB to rewrite permalinks, attachment URLs, etc… Also, having HTTPS is mandatory for some WooCommerce plugins or some XSS integration and therefore it’s nice to have it in your dev environment. 🙂

Reply

Jano Hernández Cobos says:

September 6, 2017 at 11:04 am

Great tutorial. Please note this is not valid for IIS servers, it is needed to generate a pxf file and add a intermediate certificate (and you don’t have it)

claudia4152156 says:

September 9, 2017 at 7:30 am

For developed the HTTPS there are more people are have more interest and i hope they found good tricks and tips from here. To get success such will be so more better for them.

Andy Waller says:

September 11, 2017 at 6:22 pm

I followed the directions up until the last step. I can’t figure out how to configure the web server with the private key and certificate. I’m using the free version of DesktopServer, and there’s no UI like there is for MAMP. How do I do this?

Keno Clayton says:

July 27, 2018 at 1:56 am

The point of this step is to point your server to your newly generated files to serve as its certificate and key.

Reply

Laukik Patel says:

October 4, 2017 at 8:21 am

Thank you so much @bradt

numediaweb says:

October 19, 2017 at 12:24 pm

Thanks so much! I turned this into an Ansible role which allows me to generate unlimited hosts with each one a unique cert!

gmannz says:

November 3, 2017 at 12:35 am

Thanks Brad, this was a good concise article and worked well. I secured my WIFI AirOS nano WIFI AP’s with a new certificate, as well for my lab I will be applying these to some other devices. Keep up the good work. Greg

hutchings7346 says:

December 17, 2017 at 1:51 am

We are so happy to get more update HTTPS Development and most of the people are like to get this one. So i hope day by day it will be so more usable for us.

Clément Guinet says:

January 4, 2018 at 12:06 pm

Thanks for this very useful post 🙂

Tanner says:

January 8, 2018 at 1:59 am

Genius! I used this tutorial to help with local Traefik & docker. Thanks for making it rather easy to follow.

Boboss says:

January 24, 2018 at 8:36 am

Thanks for the guide, Maybe should you update the max lifetime days to 825 https://www.entrustdatacard.com/blog/2017/march/maximum-certificate-lifetime-drops-to-825-days-in-2018

Brad says:

May 25, 2020 at 2:13 pm

Thanks, updated

Reply

Iain says:

January 31, 2018 at 3:24 am

I created a little bash script to quickly create the certificate against the CA for a domain: https://gist.github.com/polevaultweb/c83ac276f51a523a80d8e7f9a61afad0

Roman Sørensen says:

March 1, 2018 at 7:38 am

Hi Iain, thank you very much for the script! It works like a charm 🙂 … and Brad: both articles are great work! Thanks a lot!

Reply

Dev says:

February 14, 2018 at 3:40 am

Is it possible to issue a Wildcard? I’ve tried setting common name as *.mydoman.com but I get ERR_CERT_COMMON_NAME_INVALID from chrome. BTW many thanks for the useful article!

Thomas Bacon says:

August 26, 2018 at 12:36 pm

Yes it is, but as mentioned in this article: https://deliciousbrains.com/https-locally-without-browser-privacy-errors/ setting the common name is insufficient, you have to set it in the SAN Config file. For example: DNS.1 = *.domain.devAs a matter of fact I set this up so that I can use it for the purpose of making it super easy to setup local HTTPS. I just use the format of my-site.domain.dev, my-site-2.domain.dev, etc…

Reply

Benjamín Burgos says:

March 31, 2018 at 5:37 am

Geat article. Works like a charm. Thanks a lot!

EugeneX says:

April 12, 2018 at 3:45 am

Thanks a lot! Very nice post!

dobes_vandermeer says:

May 18, 2018 at 3:12 pm

I put this all together in a shell script you can run: https://gist.github.com/dobesv/13d4cb3cbd0fc4710fa55f89d1ef69be

Martin Reinke says:

June 12, 2018 at 11:23 am

I tried to get this working on Windows 10 the last two days. I could see, that the public key and the serial no in the certificate received by the browser was different from key and serial no produced by openssl. Only Firefox received the right key. In the end I found out, that the AVG Online Shield had manipulated part of the certificate and made it useless that way. After switching off the SSL trafic scan in AVG everything worked as it should. So keep your AV-Software in mind, when it is not working.

Keno Clayton says:

July 27, 2018 at 1:52 am

Thank you so much. After so many attempts with other articles I finally found success with yours 🙂 https://uploads.disquscdn.com/images/8fc70b87890c60e3e36246771017cd7b7528bfe708541dd26f8642107c9a4745.png

Enk says:

December 12, 2018 at 12:44 pm

Hello, can you tell me how you did it. I have wasted many hours trying to get by the NET::ERR_CERT_COMMON_NAME_INVALID on Chrome. I access my local at https://192.168.7.13/myapp and I set the DNS1 = myapp.domain.com but it doesn’t seems to work. Thanks.

Reply
- Keno Clayton says:
  
  December 27, 2018 at 5:17 pm
  
  Also why did you set your DNS1 to be myapp.domain.com? Your local server is 192.168.7.13 so I’d expect that to be your DNS1. Correct me if I’m mistaken.
  
  Reply
- Keno Clayton says:
  
  December 27, 2018 at 10:19 pm
  
  Hi, just saw your reply. All I did was follow the steps in the tutorial. Make sure you follow this part as it deals with defining the Subject Alternative Name (SAN) which is needed to fix the error you’re having. Let me know how it goes.
  
  Reply

Clinton Brits says:

September 23, 2018 at 11:09 am

Can you recommend an article on the basics of ssl itself? I have always used a self signed cert to to my sites and just ignore the warnings. I now want to implement a windows tcp app that uses ssl. There is provision for key file, cert file, and root cert. From your article i can get all 3 but im confused as to what goes where? Does the cert and key reside on the server side application and the root cert in the client application? On one article they say a normal cert authority’s root cert is added to new releases of browsers and then they say they are closely guarded?

Felix Ortego Perez says:

October 24, 2018 at 11:55 am

thanks a lot for the explanation

kingkool68 says:

October 25, 2018 at 10:07 pm

I see others have shared shell scripts that incorporates the commands in this article. So here’s my take https://github.com/kingkool68/generate-ssl-certs-for-local-development If you’re on a Mac it automatically copies the root certificate to Keychain saving you a step.

Lakshmeepathi says:

October 31, 2018 at 3:01 am

Thanks. Wonderful article. I have a question. I was under the impression that only the private key of the CA is used to sign ( sign our CSR / Public Key ). But here both the Private Key of CA and CA’s Public Certificate ( Root Certificate ) is used. Can it be further explained why both are needed in a simple manner or can it be understood only with the knowledge of cryptography ? Also why are you loading Private Key into KeyChain Access – in the article "Select your private key file (i.e. myCA.pem)"? Did you actually mean the CA’s certificate file ?

Lakshmeepathi says:

October 31, 2018 at 7:19 am

Shouldn’t the mentioning of SAN be done at the step of CSR creation as that seems more intuitive and appropriate – since CSR is the "request" shouldn’t it mention for what CN/SAN it wants the signature for?

Brandon Hubbard says:

November 10, 2018 at 5:16 am

Step 3, “3. Select your private key file (i.e. myCA.pem)”, should be “Select your root CA’s public certificate (i.e. myCA.pem)”.

Ryan Liu says:

November 12, 2018 at 7:57 am

Note that once you create a serial using the CAcreateserial you can use the serial again: openssl x509 -req -in dev.mergebot.com -CA myCA.pem -CAkey myCA.key -CAserial myCA.srl -days 1825 -extfile dev.mergebot.com.ext -out dev.mergebot.com.crt

SunShine says:

November 23, 2018 at 3:29 am

Can you make a youtube video of this and on Windows instead of mac

nomailme says:

December 3, 2018 at 5:56 am

Have been there, so I’ve created small test CA project: https://github.com/nomailme/TestAuthority It allows to issue test SSL certificates via REST API (or Swagger UI if you prefer). You can compile it and run in Win/Linux or as I prefer docker container

Enk says:

December 12, 2018 at 6:01 pm

https://uploads.disquscdn.com/images/12debafac146b971b4e188f60fcc873ea6c0a4fbdae967eef8e451d7a0c8d34b.png I am not sure what I did wrong, but I’ve tried almost everything and still got the NET::ERR_CERT_COMMON_NAME_INVALID error with the message "This server could not prove that it is 192.168.7.101; its security certificate is from kb.dci.com". My .ext is exactly the same as the article with the following DNS settings: DNS.1 = kb.dci.com DNS.2 = kb.dci.com.192.168.7.101.xip.io I am on CentOS 7 and my hostname is kb.dci.com. I create all the keys and certs in a custom directory (/etc/httpd/pki) and updated the ssl.cnf accordingly. Any suggestion would be appreciated. Thanks!

Tony Pedley says:

January 30, 2019 at 5:10 am

Nice article. Just to add a comment or two. It would be nice to add the SAN to the CSR, but there does not seem to be a valid way of doing it, so it has to go into the CA request. The biggest reason for us to become a CA, is that we are talking to embedded controllers that do not have a FQDN, only IP addresses. Regular CA’s will not generate a certificate for anything other than a domain name. As the CA we can generate a SAN with multiple IP addresses (IE for some reason demands the IP addresses to be DNS values, heh ho). Biggest issue as acting as your own CA, is security and certificate management i.s managing CRL, however for a local intranet, these area manageable

themaster says:

February 4, 2019 at 12:40 am

In Case I need to create a signed certificate for my locahost:port. Would I have to change the openssl genrsa -out dev.mergebot.com.key 2048 to openssl genrsa -out dev.localhost:8800.key 2048 ??

MikeSchinkel says:

April 25, 2019 at 6:19 am

ports don’t matter fyi it’s just the parent dns record

Reply

Bobby Gecko says:

February 27, 2019 at 2:49 pm

I recently attempted this setup and tried the steps outlined in both this post as well as numerous others – alas I had no success. I also tried TinyCA and RCA but both were really outdated and pretty much unusable. It took me a while but I finally found a reasonably well-made (and free) PKI management program (multi-platform) that uses a web interface so it’s considerably easier to use than openSSL via the command line (from what I understand however, the application does actually use openSSL underneath – so you could think of it as a front-end for openSSL). I did a breakdown on TLS basics as well as some tips for using the aforementioned tool on my blog at the link below. I hope this is as helpful for others as it was for me, now I have to go: there’s a moth in the room that’s about to get it… https://www.tech-jungle.com/setup-your-own-tls-certificate-authority-in-lieu-of-self-signed-certificates/

arvydasj says:

March 12, 2019 at 6:44 am

Important: if you want your CA certificate to work on Android properly, then add the following options when generating CA: openssl req -x509 -new -nodes -key myCA.key -sha256 -days 1825 -out myCA.pem -reqexts v3_req -extensions v3_ca

Phillipp says:

April 2, 2019 at 4:45 am

When I import it on android, it shows up as an user certificate and not as a CA certificate. It also doesn’t show up under trusted access. Any tips on how to get it working?

Abidul Ramadan says:

November 7, 2019 at 1:54 am

you need to add the CA one (first one you generate) not the second one.

Reply
Abidul Ramadan says:

November 7, 2019 at 1:54 am

you need to add the CA one (first one you generate) not the second one.

Reply

B.R. says:

April 9, 2019 at 12:51 pm

Perfect! Thank you so much!

Elliott Vernon says:

April 27, 2019 at 1:43 pm

I have managed to create my own TLS certs using bare, arcane OpenSSL commands, with much help from https://jamielinux.com/docs/openssl-certificate-authority/. It’s pretty torturous. I read in the OpenSSL documentation that these commands were never intended as much more than a proof-of-concept, but people seem to be using them for real because HTTPS everywhere is the future. LetsEncrypt is great but you can’t use it on a private intranet, so… do we have much other choice?

Lyas Spiehler says:

May 2, 2019 at 4:41 am

https://certificatetools.com makes this very simple and generates the OpenSSL commands you can use to do it offline.

Firmwaree says:

June 4, 2019 at 12:56 pm

Hello, thansk for this tuto ! i created a self signed certificate for my internal load balancer ! i try to add it to aws acm but i still get this error "An error occurred (ValidationException) when calling the ImportCertificate operation: com.amazonaws.pki.acm.exceptions.external.ValidationException: Provided certificate is not a valid self signed. Please provide either a valid self-signed certificate or certificate chain." even if i convert the cert and his key in pem format i still get the same error ! now i believe because it signed with my authority i need to provide a certificate chain ! How can i do it ? thanks

Anders Rørvik says:

October 8, 2019 at 10:58 am

Thanks so much for the tutorial Brad!

haptomatic says:

October 9, 2019 at 11:05 pm

Thanks for this guide, it’s been a huge help!! Everything was working fine until I formatted the Mac I generated everything from today. All I’ve done since then was import and trust the Root CA again in Keychain Access. Now when I visit something in Chrome, it will definitely find the certificate, but it says it’s been revoked. It’s weird though, because I remember specifically trusting the Root CA on an entirely different computer than the one I generated it from, in order to test it originally, and everything was fine. Will have to investigate that later to see if it still works. https://ibb.co/yh76z2B

Aymeric Robini says:

November 4, 2019 at 7:03 am

Since OS X Catalina, certificates with an expiration date greater than 825 days won’t be accepted ! So don’t forget to change the expiration date from the command line given in this article if you want it to work on the latest OS X versions 🙂

haptomatic says:

November 19, 2019 at 8:23 pm

Ah, thanks for the heads up on this! That’s probably why I’m having the issue that I posted about. It started right when I formatted for Catalina!

Reply

Mike Governale says:

December 17, 2019 at 9:14 pm

Great tutorial. I just want to let you you know that the certificates created by this CA doesn’t work on the latest versions of iOS and MacOS because you set the expiration of the certificates to be in 1825 days while apple now limits it to 825 days. here is a link to the requirements: https://support.apple.com/en-ca/HT210176

Brad says:

May 25, 2020 at 2:13 pm

Thanks, the article has been updated with this.

Reply

Allen Bradley says:

February 16, 2020 at 4:10 am

Thanks for the tutorial. I used the instructions to create a private key, cert, and ca to connect from Celery container to Redis container as required in hereBut I have problems to connect. Can I use certs that were generated in one environment in another environment? For example, I created the certs in localhost. Can I use them to connect from a Celery docker container to a Redis docker container? My specific question with more details is posted hereThanks

joshua ashley says:

February 28, 2020 at 2:38 pm

Great article my man

Hike Nalbandyan says:

March 17, 2020 at 4:02 am

This was super helpfull!! Thank you

nydame says:

May 11, 2020 at 6:17 am

Nice article. Next question, is there any way to distribute CA’s root cert to all windows machine joining the same domain? So we don’t have to install the root CA’s cert manually one-by-one.

jvanpelt says:

June 23, 2020 at 5:46 am

I just use ngrok, I know you can roll your own but it just works and that’s worth paying the annual fee for. Their tool that lets you inspect all traffic that goes through it is also great.

Jonathan Bossenger says:

June 23, 2020 at 5:48 am

Great article. I hope you don’t mind me sharing some links, but I was recommended this tool some time ago, and it greatly reduces the amount of set up work needed to get locally trusted SSL certs. https://github.com/FiloSottile/mkcert Once installed, and a cert generated for a specific test domain, all you have to do is configure the cert in your web server config, and you’re good to go. I wrote about the process for my Ubuntu development environment here https://jonathanbossenger.com/setting-up-trusted-ssl-certificates-for-local-development-using-mkcert-on-ubuntu-18-04-with-apache/

William says:

June 24, 2020 at 11:45 am

I’ve been using mkcert to handle CAs and local certificates. On, Mac it’s very simple to set up an CA – especially if you have homebrew installed: brew install mkcertmkcert -installThen for any domain(s) you need to make a cert for it’s as simple as: mkcert website.local localhost anything.local

Hannes says:

November 4, 2020 at 6:28 pm

just noticed that .srl file in the directory where i signed my Certificate Signing Request (CSR). the web told me this file contains a serial key that i need to provide to any other certificate signed with the same Certificate Authority (CA). i should do that with --CAserial .srl. is that correct? if so, it might be nice to add. thanks you for that well guided tutorial! hannes
source: http://www.gutizz.com/openssl-creates-ca-serial-file/

Bruce Lindsay says:

November 7, 2020 at 5:27 pm

I had luck getting the key created but the second step is killing me. I keep getting the following error:
Can’t open C:Program Files (x86)OpenSSLbin for reading, Permission denied
18756:error:02001005:system library:fopen:Input/output error:cryptobiobss_file.c:69:fopen(‘C:Program Files (x86)OpenSSLbin’,’rb’)
18756:error:2006D002:BIO routines:BIO_new_file:system lib:cryptobiobss_file.c:78:
18756:error:0E078002:configuration file routines:def_load:system lib:cryptoconfconf_def.c:170:
18756:error:02001005:system library:fopen:Input/output error:cryptobiobss_file.c:69:fopen(‘C:Program Files (x86)OpenSSLbin’,’r’)
18756:error:2006D002:BIO routines:BIO_new_file:system lib:cryptobiobss_file.c:78:
I’ve set the path and I can open OpenSSL from anywhere. I verified the config path in the environment variables. Anyone have any ideas?

Bruce Lindsay says:

November 7, 2020 at 5:27 pm

Bruce Lindsay says:

November 8, 2020 at 2:50 pm

Zilch, nada. Any help is appreciated. I have tried this any number of ways and can’t get past the following error:
C:Usersbruce>openssl genrsa -des3 -out private.pem 2048
Generating RSA private key, 2048 bit long modulus (2 primes)
………………………………..+++++
……………………………………………….+++++
e is 65537 (0x010001)
11188:error:02001005:system library:fopen:Input/output error:cryptobiobss_file.c:69:fopen(‘C:Program Files (x86)OpenSSLbin’,’rb’)
Enter pass phrase for private.pem:
Verifying – Enter pass phrase for private.pem:

Ross McKay says:

December 12, 2020 at 6:43 pm

This is something that I’ve been doing for ages, but when I mentioned it on a Slack channel a security expert told me how this could be used to MITM attack me if the CA cert keys were stolen. Pretty low risk, but huge impact if it happened — say hello to successful expert phishing attacks.
Apparently the way to fix this is by adding Name Constraints to the CA cert, restricting the domains that it can apply to. Here’s two discussions on how.
https://security.stackexchange.com/a/130674/218836
https://systemoverlord.com/2020/06/14/private-ca-with-x-509-name-constraints.html

Daniel Seuffer says:

December 28, 2020 at 1:31 pm

Finally my local certificates are working again. Thank you very much for this great post. I got stuck for some hours and walked through 4 other explanations before i ended up here. This morning i’ve encountered some cors issues because of cross domain session/cookie usage and so i had to solve my local ssl issues before i can go on. Here you can find my email (https://github.com/authanram), if you send me your paypal addy a donation link smth. similar, i will send you a few bucks. Thanks a lot.

drewrunolfsson says:

January 14, 2021 at 11:43 am

Thanks Bro , Recently added SSL on Client site https://migweldertech.com , You save my time.