The following steps should (theoretically) only need to be once every few years (until the root CA certificate expires):
- Run
generate-certificate-authority.sh
to generate a root Certificate Authority (CA) certificate. All future app-specific certs can "chain" from this. - This script will prompt you to create a pass phrase for your root CA certificate. Make sure to note this down (maybe in a nearby file; it's okay as plaintext since these are just development certificates) as you'll need it for future app-specific certificate generation.
- Tell your OS/browser that it can trust this root CA. For example, on macOS, these certificate has to be added to the system keychain:
sudo security add-trusted-cert -d -r trustRoot -k "/Library/Keychains/System.keychain" ca.pem
.
Anytime you want to generate an app-specific certificate, run the following steps:
- Tweak
server.csr.cnf
to use your particular domain, even if it's justlocalhost
. Most importantly, theDNS.1
entry inv3.ext
must match the `CN