Here's a brief summary of how to generate a self signed certificate for localhost. Basically, there are 3 steps.
Generate CA keys
# generate CA private key
openssl genrsa -out CA.key -des3 2048
# generate CA public key with private key
openssl req -x509 -sha256 -new -nodes -days 3650 -key CA.key -out CA.pem
Generate server keys for signing
# generate server private key
openssl genrsa -out localhost.key -des3 2048
# generate a signing request
openssl req -new -key localhost.key -out localhost.csr
# A certificate extensions file is needed to store server name related info
echo 'authorityKeyIdentifier = keyid,issuer
basicConstraints = CA:FALSE
keyUsage = digitalSignature, nonRepudiation, keyEncipherment, dataEncipherment
subjectAltName = @alt_names
[alt_names]
DNS.1 = localhost
IP.1 = 127.0.0.1' > localhost.ext
# A decrypted form of your private key is alos needed to load it in server
openssl rsa -in localhost.key -out localhost.decrypted.key
Sign server key with CA key
# sign signing request with CA private key for 397 days
openssl x509 -req -in localhost.csr -CA CA.pem -CAkey CA.key -CAcreateserial -days 397 -sha256 -extfile localhost.ext -out localhost.crt
# convert crt to pem public key
openssl x509 -in localhost.crt -out localhost.pem -outform PEM
# concat localhost pem with CA pem, this is your server public key
cat CA.pem >> localhost.pemWhy 397 days?
The server licensed to 397 days to avoid chrome with this error: ERR_CERT_VALIDITY_TOO_LONG.
To avoid the risk of misissuance, such as due to leap seconds or CA-configured randomization, CAs SHOULD issue such server certificates with validity periods of 397 days or less.
How to Get SSL HTTPS for Localhost
In this article we cover how to provision SSL certificates for local servers. We will set the CA and use it to sign the SSL certificate. We will also change the browser settings and the API client settings for them to accept the certificate.
Lewel Murithi