Skip to content

How to get the "green padlock" with a new self signed certificate

Lloyd Brookes edited this page Jul 7, 2017 · 5 revisions

Tested on Chrome on macOS. Feel free to add instructions to this page for Windows, Linux or other browsers.

Create a new self-signed certificate

  1. Install openssl.

    $ brew install openssl

  2. Create an openssl config file, save it as openssl.cnf. The variables you might want to change are those within the [ req_distinguished_name ] section and the DNS.2 value which you typically want set to your machine's fully-qualified domain name.

    [req]
    req_extensions = v3_req
    distinguished_name = req_distinguished_name
    prompt = no
    
    [ req_distinguished_name ]
    
    C = GB
    O = lws
    CN = lws
    
    [ v3_req ]
    
    # Extensions to add to a certificate request
    
    basicConstraints = CA:FALSE
    keyUsage = nonRepudiation, digitalSignature, keyEncipherment
    subjectAltName = @alt_names
    
    [alt_names]
    IP.1 = 127.0.0.1
    IP.2 = ::1
    DNS.1 = localhost
    DNS.2 = mbp.local
    
  3. Create a private key

    $ openssl genrsa -out private-key.pem 2048

  4. Create a Certificate Request

    $ openssl req -new -nodes -sha256 -key private-key.pem -out lws-csr.pem -config openssl.cnf

  5. Sign the certificate yourself (rather than via a known Certificate Authority)

    $ openssl x509 -req -sha256 -in lws-csr.pem -signkey private-key.pem -out lws-cert.pem -extfile openssl.cnf -extensions v3_req

Trust the certificate (macOS)

You must add the new certificate to your machine's trusted certificate store. On macOS, this is done via the Keychain Assistant.

  1. Open Keychain Assistant
  2. Import the certificate
  3. Open it and select "Always trust"

Launch the secure server

$ lws --key private-key.pem --cert lws-cert.pem
Serving at https://mbp.local:8000, https://127.0.0.1:8000, https://192.168.0.100:8000

If you navigate to https://127.0.0.1:8000 you will now see the green lock.

Notes

  • common name no longer supported in Chrome
  • All cert components must be SHA256 (Chrome)
  • Due to a long-running bug in openssl, must explicitly pass -extfile and extensions in order for the extensions to copy from the certificate request to the certificate. See here.
Clone this wiki locally