Generate a self-signed ssl certificate

self-signed.sh

#!/usr/bin/env bash

# The "Common Name (CN)" can be "example.com" or "*.example.com www.example.com"
# This command should be executed in non-root mode

domain="$1"

if [ -z "$domain" ]; then
  echo "need domain parameter"
  exit 1
fi

san=$(cat <<-END
[SAN]
  subjectAltName=@alt_names
 [alt_names]
   DNS.1=$domain
 END
 )
 
 openssl req \
   -newkey rsa:2048 \
   -x509 \
   -nodes \
   -keyout "${domain}.key" \
   -new \
   -out "${domain}.crt" \
   -reqexts SAN \
   -extentions SAN \
   -config <(cat /System/Library/OpenSSL/openssl.cnf \
     <(echo "$san")) \
   -sha256 \
   -days 365

1. Configure the nginx

server {
  listen 443 ssl;
  server_name example.com;

  ssl_certificate /etc/ssl/private/example.com.crt;
  ssl_certificate_key /etc/ssl/private/example.com.key;
  ssl_ciphers EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH;
  ssl_protocols TLSv1.1 TLSv1.2;

  # ...
}

2. Import the cert into "Keychain Access" and select "Always Trust"
3. Open "Keychain Access" app.
4. Select "System" in keychains.
5. Select "Certificates" in Category.
6. Click "Import Items" in File menu.
7. Select the generated cert *.crt or *.pem.
8. Right click on the imported certificate and Click "Get info"
9. In the "Trust" section, select "Always Trust"
10. Close the window.