Here is a quick trick you can use to make sure your browsers accept self-generated SSL certificates on OS X. Recently one of the team working on the football tipster site I run was explaining how they were having issues getting some service workers working.
Create an SSL certificate for Apache TIP: To quickly get started with HTTPS and SSL, follow these instructions to. You can also. OpenSSL is required to create an SSL certificate.
A certificate request can then be sent to a certificate authority (CA) to get it signed into a certificate, or if you have your own certificate authority, you may sign it yourself, or you can use a self-signed certificate (because you just want a test certificate or because you are setting up your own CA). NOTE: OpenSSL will typically already be installed on Linux and Mac OS X. If not installed, install it manually using your operating system’s package manager. Follow the steps below:. Generate a new private key: $ sudo openssl genrsa -out /opt/bitnami/apache2/conf/server.key 2048.
Create a certificate: $ sudo openssl req -new -key /opt/bitnami/apache2/conf/server.key -out /opt/bitnami/apache2/conf/cert.csr IMPORTANT: Enter the server domain name when the above command asks for the “Common Name”. Send cert.csr to the certificate authority. When the certificate authority completes their checks (and probably received payment from you), they will hand over your new certificate to you. Until the certificate is received, create a temporary self-signed certificate: $ sudo openssl x509 -in /opt/bitnami/apache2/conf/cert.csr -out /opt/bitnami/apache2/conf/server.crt -req -signkey /opt/bitnami/apache2/conf/server.key -days 365. Back up your private key in a safe location after generating a password-protected version as follows: $ sudo openssl rsa -des3 -in /opt/bitnami/apache2/conf/server.key -out privkey.pem Note that if you use this encrypted key in the Apache configuration file, it will be necessary to enter the password manually every time Apache starts.
Regenerate the key without password protection from this file as follows: $ sudo openssl rsa -in privkey.pem -out /opt/bitnami/apache2/conf/server.key Find more information about certificates at.
Step 1: Verify that you have openssl installed. $ which openssl /usr/bin/openssl $ If not, install openssl using: $ brew install openssl $ If you are using Microsoft(r) Windows, checkout for details about the openssl package on Windows. If you using Linux, you can use the default package manager to get the openssl package installed on your box. For example: # In case of Ubuntu: $ sudo apt-get install openssl $ Step 2: Create a RSA private key. # The below command will create a file named 'server.pass.key' and place it in the same folder where the command is executed. $ openssl genrsa -des3 -passout pass:x -out server.pass.key 2048 # The below command will use the 'server.pass.key' file that just generated and create 'server.key'. $ openssl rsa -passin pass:x -in server.pass.key -out server.key # We no longer need the 'server.pass.key' $ rm server.pass.key $ server.key is a PEM RSA private key.
To know more about what is a PEM file and it’s significance, read at. Step 3: Create the Certificate Signing Request (CSR) utilizing the RSA private key we generated in the last step. # The below command will ask you for information that would be included in the certificate. Since this is a self-signed certificate, there is no need to provide the 'challenge password' (to leave it blank, press enter). $ openssl req -new -key server.key -out server.csr You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.'
, the field will be left blank. Country Name (2 letter code) AU: State or Province Name (full name) Some-State: Locality Name (eg, city) : Organization Name (eg, company) Internet Widgits Pty Ltd: Organizational Unit Name (eg, section) : Common Name (e.g. Server FQDN or YOUR name) : Email Address : Please enter the following 'extra' attributes to be sent with your certificate request A challenge password : An optional company name : $ The ‘challenge password’ is used by the Certificate Authority (CA) to authenticate the certificate owner when they have to revoke the certificate. There is no way to revoke a Self-Signed Certificate via Certificate Revocation List (CRL) (refer: As a result of executing the above command, you will find a file named server.csr (‘csr’ stands for Certificate Signing Request) in the same directory.
Step 4: Generate a file named, v3.ext with the below listed contents: $ cat v3.ext authorityKeyIdentifier=keyid,issuer basicConstraints=CA:FALSE keyUsage = digitalSignature, nonRepudiation, keyEncipherment, dataEncipherment subjectAltName = @altnames altnames DNS.1 = $ This step is required because when you load the certificate in the Chrome browser, it would display an error portrayed in the below screenshot. Setting the DNS.1 value in v3.ext file to be same as the Common Name that you mentioned while generating the certificate signing request would resolve the error. Refer for more details about the subject alternate name missing error and the solution. Create the SSL Certificate utilizing the CSR created in the last step. $ openssl x509 -req -sha256 -extfile v3.ext -days 365 -in server.csr -signkey server.key -out server.crt Signature ok subject=/C=/ST=/L=/O=/OU=/CN=/emailAddress= Getting Private key $ The above command will use the Certificate Signing Request and the RSA Private Key that we generated as part of executing the previous steps and generate a Certificate file named, server.crt (‘crt’ is an abbreviation of ‘Certificate’) and place it in the same directory.
Step 5: Import the newly generated certificate in your Keychain (Mac OSX only). Since this is a self-signed certificate, the browser would display a warning mentioning that the certificate is self-signed and the website should not be trusted as portrayed in the below-listed screenshot captured on the Chrome browser. Click the Advanced hyperlink at the bottom of the warning page and click Proceed to hyperlink. The browser will allow you to proceed and open the homepage but will mark the site as Not-Secure as portrayed in the image below. To avoid this accepting the self-signed certificate everytime you restart chrome or restart your web server, follow the steps outlined at to add the certificate to your Mac OSX Keychain. Restart Chrome.
Other platforms like Microsoft(r) Windows and Linux have similar techniques to import a certificate into a browser. A quick Google(r) search should be able to provide you with the exact steps based on the browser that you use. Now Chrome should happily display the green ‘Secure’ icon against the URL when you navigate to your locally deployed website. Also, the Security tab within the Developer Tools should list the site as ‘Secure’ as portrayed in the screenshot below. References:.