Self-signed SSL certificates signed with authority for multiple (sub)domains

local-ssl-authority.md

Create CA key (keep it a secret)

openssl genrsa -out rootCA.key 4096

Create CA cert

openssl req -new -x509 -days 1826 -key rootCA.key -out rootCA.crt

Create a certificate for the server we want to use SSL on

openssl genrsa -out server.key 2048

Create certificate signing request

openssl.cnf

[req]
req_extensions = v3_req
x509_extensions = v3_req
distinguished_name = req_distinguished_name
prompt = no

[req_distinguished_name]
C = Country
ST = State
L = City
O = Org. name
OU = Org. unit name
CN = server-name

[v3_req]
basicConstraints = CA:FALSE
keyUsage = nonRepudiation, digitalSignature, keyEncipherment
subjectAltName = @alt_names

[alt_names]
DNS.1 = server-name
DNS.2 = alternative-server-name
DNS.3 = subdomain.server-name

signing request

openssl req -new -key server.key -config openssl.cnf -out server.csr

Create signed server certificate

openssl x509 -req -days 3650 -in server.csr -CA rootCA.crt -CAkey rootCA.key -set_serial 123 -extensions v3_req -extfile openssl.cnf -out server.crt

Use incremental number as a -set_serial value

Import rootCA.crt to system trusted authorities

Mac OS X: Safari

• Keychain Access App
• Import ca.crt
• Double click on imported item > Trust > Always Trust

Mac OS X: Firefox

• Preferences > Privacy & Security > View Certificates
• Certificate Manager > Authorities > Import ca.crt
• Trust Settings > This certificate can identify websites

iOS

• Use Dropbox link to add certificate to system
• Settings > General > About > Certificate Trust Settings
• Enable full trust for imported root certificate