lafif-a
6/23/2017 - 6:36 PM
[Server][MacOs] Generate local SSL with SAN (Subject Alternative Name), works with Chrome 5.8+
[Server][MacOs] Generate local SSL with SAN (Subject Alternative Name), works with Chrome 5.8+
Generate local SSL with SAN
Since version 58, Chrome requires SSL certificates to use SAN (Subject Alternative Name) instead of the popular Common Name (CN), thus CN support has been removed.
To create SSL with SAN, use steps as follows
- Go to your target ssl directory (mine was
/etc/apache2/ssl) - Create
.conffile - Generate SSL
- Point the cert on your apache conf
- Restart apache
- Install cert on Keychain
Create .conf file
sudo nano testhttps.local.conf- add this config
[ req ]
default_bits = 2048
default_keyfile = server-key.pem
distinguished_name = subject
req_extensions = req_ext
x509_extensions = x509_ext
string_mask = utf8only
[ subject ]
countryName = Country Name (2 letter code)
countryName_default = US
stateOrProvinceName = State or Province Name (full name)
stateOrProvinceName_default = NY
localityName = Locality Name (eg, city)
localityName_default = New York
organizationName = Organization Name (eg, company)
organizationName_default = Example, LLC
commonName = Common Name (e.g. server FQDN or YOUR name)
commonName_default = Example Company
emailAddress = Email Address
emailAddress_default = test@example.com
[ x509_ext ]
subjectKeyIdentifier = hash
authorityKeyIdentifier = keyid,issuer
basicConstraints = CA:FALSE
keyUsage = digitalSignature, keyEncipherment
subjectAltName = @alternate_names
nsComment = "OpenSSL Generated Certificate"
[ req_ext ]
subjectKeyIdentifier = hash
basicConstraints = CA:FALSE
keyUsage = digitalSignature, keyEncipherment
subjectAltName = @alternate_names
nsComment = "OpenSSL Generated Certificate"
[ alternate_names ]
DNS.1 = testhttps.local
Generate SSL
sudo openssl req -config testhttps.local.conf -new -sha256 -newkey rsa:2048 -nodes -keyout testhttps.local.key -x509 -days 365 -out testhttps.local.crt
- Running that command, you get asked a few questions:
Country Name (2 letter code) [AU]:
State or Province Name (full name) [Some-State]:
Locality Name (eg, city) []:
Organization Name (eg, company) [Internet Widgits Pty Ltd]:
Organizational Unit Name (eg, section) []:
Common Name (e.g. server FQDN or YOUR name) []:testhttps.local
Email Address []:
- Most of these questions weren’t important to answer for a dev environment certificate. The answers would show up when looking at the certificate information, but it didn’t have any impact on whether the browser deemed the site to be secure or not. In fact, the only question that really needed an answer was Common Name (CN). The answer to that question determined which domain the certificate was valid for
Point the cert on your apache conf
cd /etc/apache2/othersubl local.testhttps.conf- add
SSLCertificateFileandSSLCertificateKeyFile - example
<VirtualHost *:443>
ServerName testhttps.local
DocumentRoot "/Users/qutek/LocalServer/TEST/testhttps.local"
SSLEngine on
SSLCipherSuite ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP:+eNULL
SSLCertificateFile /etc/apache2/ssl/testhttps.local.crt
SSLCertificateKeyFile /etc/apache2/ssl/testhttps.local.key
<Directory "/Users/qutek/LocalServer/TEST/testhttps.local">
Options Indexes FollowSymLinks
AllowOverride All
Order allow,deny
Allow from all
Require all granted
</Directory>
</VirtualHost>
Restart apache
sudo apachectl restart
Install cert on Keychain
- Visit your site and open chrome developer tools
- Click "View Certificate"
- Drag and drop certificate to finder
- Double click the certificate
- Set the trust setting
Reference Deliciousbrains