Orfeous/ssl osx

## ssl osx
Generate ssl certificates with Subject Alt Names on OSX
=======================================================

Open `ssl.conf` in a text editor.

Edit the domain(s) listed under the `[alt_names]` section so that they match the local domain name you want to use for your project, e.g.

    DNS.1   = my-project.dev

Additional FQDNs can be added if required:

    DNS.1   = my-project.dev
    DNS.2   = www.my-project.dev
    DNS.3   = fr.my-project.dev

Create a directory for your project, e.g. `my_project` and save `ssl.conf` inside it.

Open Terminal and navigate to 'my_project':

    cd my_project

Generate a private key:

    openssl genrsa -out private.key 4096

Generate a Certificate Signing Request

    openssl req -new -sha256 \
        -out private.csr \
        -key private.key \
        -config ssl.conf

(You will be asked a series of questions about your certificate. Answer however you like, but for 'Common name' enter the name of your project, e.g. `my_project`)

Now check the CSR:

    openssl req -text -noout -in private.csr

You should see this:

`X509v3 Subject Alternative Name: DNS:my-project.site` and
`Signature Algorithm: sha256WithRSAEncryption`

Generate the certificate

    openssl x509 -req \
        -sha256 \
        -days 3650 \
        -in private.csr \
        -signkey private.key \
        -out private.crt \
        -extensions req_ext \
        -extfile ssl.conf

Add the certificate to keychain and trust it:

    sudo security add-trusted-cert -d -r trustRoot -k /Library/Keychains/System.keychain private.crt

(Alternatively, double click on the certificate file `private.crt` to open Keychain Access. Your project name `my_project` will be listed under the login keychain. Double click it and select 'Always trust' under the 'Trust' section.)

If you are using MAMP Pro, add (or edit) a host with the server name you listed under the `[alt_names]` section of your ssl.conf. On the SSL tab select the Certificate file and Certificate key that you just generated.

Save changes and restart Apache.

ssl.cnf
```
[ req ]
default_bits       = 4096
distinguished_name = req_distinguished_name
req_extensions     = req_ext

[ req_distinguished_name ]
countryName                 = Country Name (2 letter code)
countryName_default         = GB
stateOrProvinceName         = State or Province Name (full name)
stateOrProvinceName_default = Ireland
localityName                = Locality Name (eg, city)
localityName_default        = Dublin
organizationName            = Organization Name (eg, company)
organizationName_default    = Information Security
commonName                  = Common Name (e.g. server FQDN or YOUR name)
commonName_max              = 64
commonName_default          = whatever.domain.internal

[ req_ext ]
subjectAltName = @alt_names

[alt_names]
DNS.1   = whatever-website.domain.internal
DNS.2   = another-website.domain.internal
```
	Generate ssl certificates with Subject Alt Names on OSX
	=======================================================

	Open `ssl.conf` in a text editor.

	Edit the domain(s) listed under the `[alt_names]` section so that they match the local domain name you want to use for your project, e.g.

	DNS.1 = my-project.dev

	Additional FQDNs can be added if required:

	DNS.1 = my-project.dev
	DNS.2 = www.my-project.dev
	DNS.3 = fr.my-project.dev

	Create a directory for your project, e.g. `my_project` and save `ssl.conf` inside it.

	Open Terminal and navigate to 'my_project':

	cd my_project

	Generate a private key:

	openssl genrsa -out private.key 4096

	Generate a Certificate Signing Request

	openssl req -new -sha256 \
	-out private.csr \
	-key private.key \
	-config ssl.conf

	(You will be asked a series of questions about your certificate. Answer however you like, but for 'Common name' enter the name of your project, e.g. `my_project`)

	Now check the CSR:

	openssl req -text -noout -in private.csr

	You should see this:

	`X509v3 Subject Alternative Name: DNS:my-project.site` and
	`Signature Algorithm: sha256WithRSAEncryption`

	Generate the certificate

	openssl x509 -req \
	-sha256 \
	-days 3650 \
	-in private.csr \
	-signkey private.key \
	-out private.crt \
	-extensions req_ext \
	-extfile ssl.conf

	Add the certificate to keychain and trust it:

	sudo security add-trusted-cert -d -r trustRoot -k /Library/Keychains/System.keychain private.crt

	(Alternatively, double click on the certificate file `private.crt` to open Keychain Access. Your project name `my_project` will be listed under the login keychain. Double click it and select 'Always trust' under the 'Trust' section.)

	If you are using MAMP Pro, add (or edit) a host with the server name you listed under the `[alt_names]` section of your ssl.conf. On the SSL tab select the Certificate file and Certificate key that you just generated.

	Save changes and restart Apache.

	ssl.cnf
	```
	[ req ]
	default_bits = 4096
	distinguished_name = req_distinguished_name
	req_extensions = req_ext

	[ req_distinguished_name ]
	countryName = Country Name (2 letter code)
	countryName_default = GB
	stateOrProvinceName = State or Province Name (full name)
	stateOrProvinceName_default = Ireland
	localityName = Locality Name (eg, city)
	localityName_default = Dublin
	organizationName = Organization Name (eg, company)
	organizationName_default = Information Security
	commonName = Common Name (e.g. server FQDN or YOUR name)
	commonName_max = 64
	commonName_default = whatever.domain.internal

	[ req_ext ]
	subjectAltName = @alt_names

	[alt_names]
	DNS.1 = whatever-website.domain.internal
	DNS.2 = another-website.domain.internal
	```