I'll try to tell you how to get yourself a nice green "Secure" button on your localhost.
I stored everything in .ssl
in my home folder. To be really secure, make sure you apply proper permissions to this folder.
mkdir .ssl
chmod -R 700 .ssl
This keeps other users from being able to snoop in your home folder's .ssl directory and getting your private keys. Not super-important on a single user dev machine, but very important on a server.
Install ca-certificates
with
apt-get install ca-certificates
openssl req -x509 -newkey rsa:4096 -nodes -keyout rootCA.key -out rootCA.crt -days 3650
Create a file named config.txt
(or whatever you want).
Modify its contents to look generally like the following.
[req]
default_bits = 2048
prompt = no
default_md = sha256
req_extensions = req_ext
distinguished_name = dn
[ dn ]
C=US
ST=Pennsylvania
L=Philadelphia
O=My Organization
OU=None
emailAddress=you@example.com
CN = 127.0.0.1
Next step: generate the CSR file itself.
Note: This will ask you to enter a pass-phrase for the PEM.
openssl req -new -config config.txt -keyout localhost.key -out localhost.csr
I believe something like the following will work as well if you don't want to enter a password on apache restarts
openssl genrsa 2048 -out localhost.key
openssl req -new -sha256 -nodes -key localhost.key -out localhost.csr -config config.txt
Chrome uses the subjectAltName
extension when determining valid domain names.
Create a file named extfile.txt
Contents:
subjectAltName=DNS:localhost,IP=127.0.0.1
The next step is to generate your certificate file.
openssl x509 -req -extfile extfile.txt -in localhost.csr -CA rootCA.crt -CAkey rootCA.key -CAcreateserial -out localhost.crt -days 365 -sha256
You have a valid certificate now. The only thing left to do is tell your local machine to trust your root CA.
cp rootCA.crt /usr/share/ca-certificates
Next step is to run the reconfiguration for ca-certificates.
dkpg-reconfigure ca-certificates
In the prompt that comes up, select ask
and press enter.
Scroll through the list and find your new root CA certificate. Select it with the space bar and press enter.
Once dpkg is done, you should have a functioning trusted CA on your local computer.
Last step is to restart Chrome, go to Chrome Settings, search for 'certificates' and click Manage Certificates.
Find your certificate under Authorities, expand it and click the little vertical dots beside it.
Check the checkboxes you want to use the certificate for and you should be good to go!
If this doesn't work for you, please let me know. I want it to be as accurate as possible.