nix, shell, perl, php, mysql and mac os x tips and tricks

Sunday, July 2, 2017

Create Self-Signed Cert on OSX and tell the OS to trust it

Not as easy as you might think. Let's say you wanted to create a self-signed cert for a local domain called "my.webtool"... First create a file called v3.ext with these contents:
authorityKeyIdentifier=keyid,issuer
basicConstraints=CA:FALSE
keyUsage = digitalSignature, nonRepudiation, keyEncipherment, dataEncipherment
subjectAltName = @alt_names

[alt_names]
DNS.1 = my.webtool
DNS.2 = localhost
DNS.3 = 127.0.0.1
Then run these commands. This assumes you have openSSL installed:
openssl genrsa -des3 -passout pass:x -out my.webtool.pass.key 2048
openssl rsa -passin pass:x -in my.webtool.pass.key -out my.webtool.key
rm my.webtool.pass.key
openssl req -new -key my.webtool.key -out my.webtool.csr
openssl x509 -req -days 1000 -in my.webtool.csr -signkey my.webtool.key -out my.webtool.crt -extfile v3.ext
Then install the .key and .crt files in whatever server you're running. THEN you have to tell your system to trust the certificate by importing it into your keychain AND change the "trust" settings on it. See http://www.accuweaver.com/2014/09/19/make-chrome-accept-a-self-signed-certificate-on-osx/ update! this appears to be a one-shot deal:
openssl req \
-newkey rsa:2048 \
-x509 \
-nodes \
-keyout yarr.mydev.com.key \
-new \
-out yarr.mydev.com.crt \
-subj /CN=yarr.mydev.com \
-reqexts SAN \
-extensions SAN \
-config <(cat /etc/ssl/openssl.cnf \
    <(printf '[SAN]\nsubjectAltName=DNS:yarr.mydev.com,IP:192.168.56.101')) \
-sha256 \
-days 3650

No comments:

Post a Comment