Creating an SSL certificate is a lot harder than I thought! Even after I managed to generate one I ran into
ERR_SSL_PROTOCOL_ERROR and other errors on Chrome. To add to my misery there were many commands to run and prompts to answer. I managed to boil it all down to a single command that takes its info from a config file.
[ req ] prompt = no default_bits = 2048 default_keyfile = mysite.local.key distinguished_name = subject req_extensions = req_ext x509_extensions = x509_ext string_mask = utf8only [ subject ] countryName = US stateOrProvinceName = California localityName = Carlsbad organizationName = MyCompany commonName = mysite.local emailAddress = [email protected] [ x509_ext ] subjectKeyIdentifier = hash authorityKeyIdentifier = keyid,issuer basicConstraints = CA:FALSE keyUsage = digitalSignature, keyEncipherment subjectAltName = @alternate_names nsComment = "OpenSSL Generated Certificate" [ req_ext ] subjectKeyIdentifier = hash basicConstraints = CA:FALSE keyUsage = digitalSignature, keyEncipherment subjectAltName = @alternate_names nsComment = "OpenSSL Generated Certificate" [ alternate_names ] DNS.1 = mysite.local DNS.2 = localhost DNS.3 = 127.0.0.1 IP.1 = 127.0.0.1 IP.2 = ::1
Make sure to add the
commonName to the list of alternate names. This is where Chrome gets really picky and causes errors. If you’re setting up virtual hosts with multiple names hosts add them all in the alternate names section. Remember to add the last four above to make sure everything works without a hitch.
Once you have this all saved in a file named
ssl.conf for example, just run the command below to generate a key and certificate file in one go.
openssl req -nodes -new -x509 -config ssl.conf -keyout kinsta.local.key -out kinsta.local.crt
It’s important to keep in mind that a passphrase is not used to generate the key/crt file, making this insecure for production use. If you want to use a passphrase (you should in production) you can still do so easily in two steps:
openssl req -new -config ssl.conf -out kinsta.local.csr openssl x509 -req -in kinsta.local.csr -signkey kinsta.local.key -out kinsta.local.crt
The final step of the process is to add the certificate file as a trusted certificate to your system. In OSX you can double click the certificate file in Finder to add it to your keychain. Find it in the keychain, click it twice and open the Trust section and set to always trust.
On Windows double click on this file and click on “Install Certificate…” Change the default store location to “Local Machine” and click Next. Select “Place all certificates in the following store” and choose “Trusted Root Certification Authorities” from the list. Then click next and finish.