We can generate a common CA certificate, and then each project can use this CA certificate to sign and issue a project certificate. Hence the CA certificate is needed to install as a trusted cert, and once the project is signed and issue using this CA cert, the new project certificate will be trusted via chain of trust policy.
Generate a CA key
openssl genrsa -out ca.key 4096
Generate a CA public key, ensure expiry date is exceeding the individual cert
openssl req -x509 -new -pubkey \
-days 4650 -nodes \
-out ca.crt \
-key ca.key \
-extensions v3_ca \
-config ssl.conf
We're going to generate a key per project which includes multiple fully qualified domains. This key can be checked into the project repo as it's intended for local development but never used on production servers.
Save ssl.conf
to your my_project
directory.
Open ssl.conf
in a text editor.
Edit the domain(s) listed under the [alt_names]
section so that they match the local domain name you want to use for your project, e.g.
DNS.1 = my-project.dev
Additional FQDNs can be added if required:
DNS.1 = my-project.dev
DNS.2 = www.my-project.dev
DNS.3 = fr.my-project.dev
In terminal
`cd my_project`
Generate a private key
openssl genrsa -out private.key 4096
Generate a Certificate Signing Request
openssl req -new -sha256 \
-out private.csr \
-key private.key \
-config ssl.conf
Check the CSR. You should see
X509v3 Subject Alternative Name: DNS:my-project.dev, DNS:www.my-project.dev
and
Signature Algorithm: sha256WithRSAEncryption
openssl req -text -noout -in private.csr
Generate the certificate
openssl x509 -req \
-days 3650 \
-in private.csr \
-signkey private.key \
-out private.crt \
-extensions req_ext \
-extfile ssl.conf
Alternatively, generate the certificate with a CA cert and key
openssl x509 -req \
-days 3650 \
-in private.csr \
-CAkey ca.key \
-CA ca.crt \
-CAcreateserial \
-out private.crt \
-extensions usr_cert \
-extfile ssl.conf
Add the certificate to keychain and trust it
sudo security add-trusted-cert -d -r trustRoot -k /Library/Keychains/System.keychain ca.crt
(Alternatively, double click on the certificate file private.crt
to open Keychain Access. Your project name my_project
will be listed under the login keychain. Double click it and select 'Always trust' under the 'Trust' section.)
Restart apache
sudo apachectl -k restart