lafif-a
6/23/2017 - 6:36 PM

[Server][MacOs] Generate local SSL with SAN (Subject Alternative Name), works with Chrome 5.8+

[Server][MacOs] Generate local SSL with SAN (Subject Alternative Name), works with Chrome 5.8+

Generate local SSL with SAN

Since version 58, Chrome requires SSL certificates to use SAN (Subject Alternative Name) instead of the popular Common Name (CN), thus CN support has been removed.

To create SSL with SAN, use steps as follows

  • Go to your target ssl directory (mine was /etc/apache2/ssl)
  • Create .conf file
  • Generate SSL
  • Point the cert on your apache conf
  • Restart apache
  • Install cert on Keychain

Create .conf file

  • sudo nano testhttps.local.conf
  • add this config
[ req ]

default_bits        = 2048
default_keyfile     = server-key.pem
distinguished_name  = subject
req_extensions      = req_ext
x509_extensions     = x509_ext
string_mask         = utf8only

[ subject ]

countryName                 = Country Name (2 letter code)
countryName_default         = US

stateOrProvinceName         = State or Province Name (full name)
stateOrProvinceName_default = NY

localityName                = Locality Name (eg, city)
localityName_default        = New York

organizationName            = Organization Name (eg, company)
organizationName_default    = Example, LLC

commonName                  = Common Name (e.g. server FQDN or YOUR name)
commonName_default          = Example Company

emailAddress                = Email Address
emailAddress_default        = test@example.com

[ x509_ext ]

subjectKeyIdentifier   = hash
authorityKeyIdentifier = keyid,issuer

basicConstraints       = CA:FALSE
keyUsage               = digitalSignature, keyEncipherment
subjectAltName         = @alternate_names
nsComment              = "OpenSSL Generated Certificate"

[ req_ext ]

subjectKeyIdentifier = hash

basicConstraints     = CA:FALSE
keyUsage             = digitalSignature, keyEncipherment
subjectAltName       = @alternate_names
nsComment            = "OpenSSL Generated Certificate"

[ alternate_names ]

DNS.1       = testhttps.local

Generate SSL

sudo openssl req -config testhttps.local.conf -new -sha256 -newkey rsa:2048 -nodes -keyout testhttps.local.key -x509 -days 365 -out testhttps.local.crt
  • Running that command, you get asked a few questions:
Country Name (2 letter code) [AU]:
State or Province Name (full name) [Some-State]:
Locality Name (eg, city) []:
Organization Name (eg, company) [Internet Widgits Pty Ltd]:
Organizational Unit Name (eg, section) []:
Common Name (e.g. server FQDN or YOUR name) []:testhttps.local
Email Address []:
  • Most of these questions weren’t important to answer for a dev environment certificate. The answers would show up when looking at the certificate information, but it didn’t have any impact on whether the browser deemed the site to be secure or not. In fact, the only question that really needed an answer was Common Name (CN). The answer to that question determined which domain the certificate was valid for

Point the cert on your apache conf

  • cd /etc/apache2/other
  • subl local.testhttps.conf
  • add SSLCertificateFile and SSLCertificateKeyFile
  • example
<VirtualHost *:443>
    ServerName testhttps.local
    DocumentRoot "/Users/qutek/LocalServer/TEST/testhttps.local"

    SSLEngine on
    SSLCipherSuite ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP:+eNULL
    SSLCertificateFile /etc/apache2/ssl/testhttps.local.crt
    SSLCertificateKeyFile /etc/apache2/ssl/testhttps.local.key

    <Directory "/Users/qutek/LocalServer/TEST/testhttps.local">
        Options Indexes FollowSymLinks
        AllowOverride All
        Order allow,deny
        Allow from all
        Require all granted
    </Directory>
</VirtualHost>

Restart apache

  • sudo apachectl restart

Install cert on Keychain

  • Visit your site and open chrome developer tools
  • Click "View Certificate"
  • Drag and drop certificate to finder
  • Double click the certificate
  • Set the trust setting

Reference Deliciousbrains