Creating an SSL certificate is a lot harder than I thought! Even after I managed to generate one I ran into ERR_SSL_PROTOCOL_ERROR and other errors on Chrome. To add to my misery there were many commands to run and prompts to answer. I managed to boil it all down to a single command that takes its info from a config file.

[ req ]
prompt              = no
default_bits        = 2048
default_keyfile     = mysite.local.key
distinguished_name  = subject
req_extensions      = req_ext
x509_extensions     = x509_ext
string_mask         = utf8only

[ subject ]
countryName            = US
stateOrProvinceName    = California
localityName           = Carlsbad
organizationName       = MyCompany
commonName             = mysite.local
emailAddress           = [email protected]

[ x509_ext ]
subjectKeyIdentifier    = hash
authorityKeyIdentifier  = keyid,issuer
basicConstraints        = CA:FALSE
keyUsage                = digitalSignature, keyEncipherment
subjectAltName          = @alternate_names
nsComment               = "OpenSSL Generated Certificate"

[ req_ext ]
subjectKeyIdentifier     = hash
basicConstraints         = CA:FALSE
keyUsage                 = digitalSignature, keyEncipherment
subjectAltName           = @alternate_names
nsComment                = "OpenSSL Generated Certificate"

[ alternate_names ]
DNS.1       = mysite.local
DNS.2       = localhost
DNS.3       = 127.0.0.1
IP.1        = 127.0.0.1
IP.2        = ::1

Make sure to add the commonName to the list of alternate names. This is where Chrome gets really picky and causes errors. If you’re setting up virtual hosts with multiple names hosts add them all in the alternate names section. Remember to add the last four above to make sure everything works without a hitch.

Once you have this all saved in a file named ssl.conf for example, just run the command below to generate a key and certificate file in one go.

openssl req -nodes -new -x509 -config ssl.conf -keyout kinsta.local.key -out kinsta.local.crt

It’s important to keep in mind that a passphrase is not used to generate the key/crt file, making this insecure for production use. If you want to use a passphrase (you should in production) you can still do so easily in two steps:

openssl req -new -config ssl.conf -out kinsta.local.csr
openssl x509 -req -in kinsta.local.csr -signkey kinsta.local.key -out kinsta.local.crt

The final step of the process is to add the certificate file as a trusted certificate to your system. In OSX you can double click the certificate file in Finder to add it to your keychain. Find it in the keychain, click it twice and open the Trust section and set to always trust.

On Windows double click on this file and click on “Install Certificate…” Change the default store location to “Local Machine” and click Next. Select “Place all certificates in the following store” and choose “Trusted Root Certification Authorities” from the list. Then click next and finish.