This instructions allow you to create a root Certificate Authority and issue a certificate to "localhost", to improve local development expirience. Those instrusctions assume you use macOS
- create a root CA
- create certificate
- sign the certificate with root CA we created at (1)
- add root CA to the keychain via
security
OPENSSL_CONF_DIR=`/usr/bin/openssl version -a | grep 'OPENSSLDIR' | awk '{print substr($2,2,length($2)-2) }'`
cp $OPENSSL_CONF_DIR/openssl.cnf ./openssl.cnf
cat <<EOT >>./openssl.cnf
[ v3_ca ]
basicConstraints = critical,CA:TRUE
subjectKeyIdentifier = hash
authorityKeyIdentifier = keyid:always,issuer:always
EOT
openssl req -config openssl.cnf -new -newkey rsa:4096 -x509 -days 1825 -extensions v3_ca -keyout rootCA.key -out rootCA.crt -subj "/C=IL/ST=TLV/O=Yoshi"
- note: Chrome requires SANs, otherwise it will show "Insecure"
cat <<EOF >>./localhost.cnf
[req]
default_bits = 2048
prompt = no
default_md = sha256
req_extensions = req_ext
distinguished_name = dn
[ dn ]
C=IL
ST=Tel Aviv
L=Tel Aviv
O=Fed Infra
OU=Yoshi CDN
emailAddress=yoshi-team@wix.com
CN = localhost
[ req_ext ]
subjectAltName = @alt_names
[ alt_names ]
DNS.1 = localhost
DNS.2 = local.wix.com
DNS.3 = 127.0.0.1
EOF
openssl req -new -sha256 -nodes -out localhost.csr -newkey rsa:2048 -keyout localhost.key -config ./localhost.cnf
openssl x509 -req -in localhost.csr -CA rootCA.crt -CAkey rootCA.key -CAcreateserial -out localhost.crt -days 500 -sha256 -extfile ./localhost.cnf -extensions req_ext
(note: firefox has it's own store, needed to be added seperatly)
sudo security add-trusted-cert -d -r trustRoot -k /Library/Keychains/System.keychain rootCA.crt