-
Notifications
You must be signed in to change notification settings - Fork 88
How to get the "green padlock" with a new self signed certificate
Lloyd Brookes edited this page Jul 7, 2017
·
5 revisions
Tested on Chrome on macOS.
-
Install openssl.
$ brew install openssl
-
Create an openssl config file, save it as
openssl.cnf
.[req] req_extensions = v3_req distinguished_name = req_distinguished_name prompt = no [ req_distinguished_name ] C = GB O = lws CN = lws [ v3_req ] # Extensions to add to a certificate request basicConstraints = CA:FALSE keyUsage = nonRepudiation, digitalSignature, keyEncipherment subjectAltName = @alt_names [alt_names] IP.1 = 127.0.0.1 IP.2 = ::1 DNS.1 = localhost DNS.2 = mbp.local
-
Create a private key
$ openssl genrsa -out private-key.pem 2048
-
Create a Certificate Request
$ openssl req -new -nodes -sha256 -key private-key.pem -out lws-csr.pem -config openssl.cnf
-
Create a self-signed certificate
$ openssl x509 -req -sha256 -in lws-csr.pem -signkey private-key.pem -out lws-cert.pem -extfile openssl.cnf -extensions v3_req
-
Set macOS to always trust the certificate.
- Open Keychain Assistant
- Import the certificate
- Open it and select "Always trust"
-
Launch lws
$ lws --key private-key.pem --cert lws-cert.pem Serving at https://mbp.local:7990, https://127.0.0.1:7990, https://192.168.0.100:7990
- common name no longer supported in Chrome
- All cert components must be SHA256 (Chrome)
- Due to a long-running bug in
openssl
, must explicitly pass-extfile
andextensions
in order for the extensions to copy from the certificate request to the certificate. See here.