Last active
March 24, 2018 18:43
-
-
Save mpacific/5af8c34e759c4935cfc095ab1714b442 to your computer and use it in GitHub Desktop.
OpenSSL + nginx + wildcard self-signed SSL cert commands that play well with Chrome
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
openssl genrsa -des3 -out rootCA.key 2048 | |
openssl req -x509 -new -nodes -key rootCA.key -sha256 -days 1024 -out rootCA.crt -config nginx-wildcard.cfg -extensions req_ext | |
openssl req -new -sha256 -nodes -out nginx-wildcard.csr -newkey rsa:2048 -keyout nginx-wildcard.key -config nginx-wildcard.cfg -extensions req_ext | |
openssl x509 -req -in nginx-wildcard.csr -CA rootCA.crt -CAkey rootCA.key -CAcreateserial -out nginx-wildcard.crt -days 500 -sha256 -extfile nginx-wildcard.cfg -extensions req_ext | |
cat nginx-wildcard.crt nginx-wildcard.key > nginx-wildcard.pem | |
chmod 644 nginx-wildcard.key nginx-wildcard.pem | |
openssl x509 -in nginx-wildcard.pem -text -noout # Checks to make sure the config is correct | |
service nginx restart # Restart nginx after updating your server config (below) | |
--- | |
nginx-wildcard.cfg | |
[req] | |
default_bits = 2048 | |
prompt = no | |
default_md = sha256 | |
req_extensions = req_ext | |
distinguished_name = dn | |
[ dn ] | |
C=US | |
ST=Oregon | |
L=Portland | |
O=LOLZ | |
OU=LMAO | |
emailAddress=foo@bar.com | |
CN=host.local | |
[ req_ext ] | |
basicConstraints = CA:FALSE | |
keyUsage = nonRepudiation, digitalSignature, keyEncipherment | |
subjectAltName = @alt_names | |
[ alt_names ] | |
DNS.1 = host.local | |
DNS.2 = *.host.local | |
-- | |
vhost | |
server { | |
listen 80; | |
listen [::]:80; | |
server_name client.host.local; | |
return 301 https://client.host.local$request_uri; | |
} | |
server { | |
listen 443; | |
listen [::]:443; | |
root /var/www/docroot; | |
index index.html; | |
server_name client.host.local; | |
ssl on; | |
ssl_certificate /var/ssl/nginx-wildcard.pem; | |
ssl_certificate_key /var/ssl/nginx-wildcard.key; | |
ssl_session_timeout 5m; | |
location / { | |
try_files $uri $uri/ =404; | |
} | |
} |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
The problem I was struggling to solve was that even after setting my self-signed certificate to trusted in macOS keychain, Chrome was still complaining about an invalid common name. I had to add those alt names to the wildcard config for Chrome to accept it completely.