Skip to content

Instantly share code, notes, and snippets.

Embed
What would you like to do?
Easily create local SSL certificates for development sites that work with you own Certificate Authority https://deliciousbrains.com/ssl-certificate-authority-for-local-https-development/
#!/bin/sh
if [ "$#" -ne 1 ]
then
echo "Usage: Must supply a domain"
exit 1
fi
DOMAIN=$1
cd ~/certs
openssl genrsa -out $DOMAIN.key 2048
openssl req -new -key $DOMAIN.key -out $DOMAIN.csr
cat > $DOMAIN.ext << EOF
authorityKeyIdentifier=keyid,issuer
basicConstraints=CA:FALSE
keyUsage = digitalSignature, nonRepudiation, keyEncipherment, dataEncipherment
subjectAltName = @alt_names
[alt_names]
DNS.1 = $DOMAIN
DNS.2 = $DOMAIN.192.168.1.19.xip.io
EOF
openssl x509 -req -in $DOMAIN.csr -CA ../myCA.pem -CAkey ../myCA.key -CAcreateserial \
-out $DOMAIN.crt -days 1825 -sha256 -extfile $DOMAIN.ext
@polevaultweb

This comment has been minimized.

Copy link
Owner Author

commented Jan 31, 2018

I use this for adding certifiacates to local sites with MAMP Pro

  1. Create your own Certificate Authority https://deliciousbrains.com/ssl-certificate-authority-for-local-https-development/
  2. Create a directory certs in your root directory
  3. Download this bash file to your root
  4. Copy the file to /usr/local/bin/: mv ssl.sh /usr/local/bin/ssl
  5. Make it executable chmod u+x /usr/local/bin/ssl
  6. Call it anywhere like ssl mydomain.dev (follow the prompts as per https://deliciousbrains.com/ssl-certificate-authority-for-local-https-development/#creating-ca-signed-certificates)
  7. Add the cert to your host in MAMP Pro
@njm2112

This comment has been minimized.

Copy link

commented Sep 26, 2018

Thanks for this -- definitely made the process of issuing signed certificates smooth. Do you happen to have a recommendation for how to adapt the $DOMAIN.ext config file if you're not using xip.io for wildcard DNS? I tried using just the internal IP of the host machine that I need to hit on my network, but that doesn't seem to be working and Chrome is still throwing a ERR_SSL_PROTOCOL_ERROR response. I confirmed that I have added myCA.pem (and adjusted trust level to 'always') to my system Keychain. I know there's no issue with the signed certificate itself because I can validate it against the CA I created...

@kristos80

This comment has been minimized.

Copy link

commented Dec 6, 2018

Thanks for this -- definitely made the process of issuing signed certificates smooth. Do you happen to have a recommendation for how to adapt the $DOMAIN.ext config file if you're not using xip.io for wildcard DNS? I tried using just the internal IP of the host machine that I need to hit on my network, but that doesn't seem to be working and Chrome is still throwing a ERR_SSL_PROTOCOL_ERROR response. I confirmed that I have added myCA.pem (and adjusted trust level to 'always') to my system Keychain. I know there's no issue with the signed certificate itself because I can validate it against the CA I created...

Probably the error is not due to the internal IP mismatch but rather on how the certificate is issued. After a long search there are two things that need to change in order for the certificate to work:

  1. Add this [ req_ext ] before subjectAltName = @alt_names, ending up with the .ext file looking like this:
authorityKeyIdentifier=keyid,issuer
basicConstraints=CA:FALSE
keyUsage = digitalSignature, nonRepudiation, keyEncipherment, dataEncipherment
[ req_ext ]
subjectAltName = @alt_names

[alt_names]
DNS.1 = $DOMAIN
DNS.2 = $DOMAIN.127.0.0.1
  1. Change the last openssl command to:
openssl x509 -req -in $DOMAIN.csr -CA ../myCA.pem -CAkey ../myCA.key -CAcreateserial \
-out $DOMAIN.crt -days 1825 -sha256 -extfile $DOMAIN.ext -extensions req_ext
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.