Skip to content

How to get the "green padlock" with a new self signed certificate

Lloyd Brookes edited this page Jul 7, 2017 · 5 revisions

Tested on Chrome on macOS.

Steps

  1. Install openssl.

    $ brew install openssl

  2. Create an openssl config file, save it as openssl.cnf.

    [req]
    req_extensions = v3_req
    distinguished_name = req_distinguished_name
    prompt = no
    
    [ req_distinguished_name ]
    
    C = GB
    O = lws
    CN = lws
    
    [ v3_req ]
    
    # Extensions to add to a certificate request
    
    basicConstraints = CA:FALSE
    keyUsage = nonRepudiation, digitalSignature, keyEncipherment
    subjectAltName = @alt_names
    
    [alt_names]
    IP.1 = 127.0.0.1
    IP.2 = ::1
    DNS.1 = localhost
    DNS.2 = mbp.local
    
  3. Create a private key

    $ openssl genrsa -out private-key.pem 2048

  4. Create a Certificate Request

    $ openssl req -new -nodes -sha256 -key private-key.pem -out lws-csr.pem -config openssl.cnf

  5. Create a self-signed certificate

    $ openssl x509 -req -sha256 -in lws-csr.pem -signkey private-key.pem -out lws-cert.pem -extfile openssl.cnf -extensions v3_req

  6. Set macOS to always trust the certificate.

    1. Open Keychain Assistant
    2. Import the certificate
    3. Open it and select "Always trust"
  7. Launch lws

    $ lws --key private-key.pem --cert lws-cert.pem
    Serving at https://mbp.local:7990, https://127.0.0.1:7990, https://192.168.0.100:7990
    

Notes

  • common name no longer supported in Chrome
  • All cert components must be SHA256 (Chrome)
  • Due to a long-running bug in openssl, must explicitly pass -extfile and extensions in order for the extensions to copy from the certificate request to the certificate. See here.
Clone this wiki locally