-
Notifications
You must be signed in to change notification settings - Fork 87
How to get the "green padlock" with a new self signed certificate
Tested on Chrome on macOS. Feel free to add instructions to this page for Windows, Linux or other browsers.
-
Install openssl.
$ brew install openssl
-
Create an openssl config file, save it as
openssl.cnf
. The variables you might want to change are those within the[ req_distinguished_name ]
section and theDNS.2
value which you typically want set to your machine's fully-qualified domain name.[req] req_extensions = v3_req distinguished_name = req_distinguished_name prompt = no [ req_distinguished_name ] C = GB O = lws CN = lws [ v3_req ] # Extensions to add to a certificate request basicConstraints = CA:FALSE keyUsage = nonRepudiation, digitalSignature, keyEncipherment subjectAltName = @alt_names [alt_names] IP.1 = 127.0.0.1 IP.2 = ::1 DNS.1 = localhost DNS.2 = mbp.local
-
Create a private key
$ openssl genrsa -out private-key.pem 2048
-
Create a Certificate Request
$ openssl req -new -nodes -sha256 -key private-key.pem -out lws-csr.pem -config openssl.cnf
-
Sign the certificate yourself (rather than via a known Certificate Authority)
$ openssl x509 -req -sha256 -in lws-csr.pem -signkey private-key.pem -out lws-cert.pem -extfile openssl.cnf -extensions v3_req
You must add the new certificate to your machine's trusted certificate store. On macOS, this is done via the Keychain Assistant.
- Open Keychain Assistant
- Import the certificate
- Open it and select "Always trust"
$ lws --key private-key.pem --cert lws-cert.pem
Serving at https://mbp.local:8000, https://127.0.0.1:8000, https://192.168.0.100:8000
If you navigate to https://127.0.0.1:8000
you will now see the green lock.
- common name no longer supported in Chrome
- All cert components must be SHA256 (Chrome)
- Due to a long-running bug in
openssl
, must explicitly pass-extfile
andextensions
in order for the extensions to copy from the certificate request to the certificate. See here.