TL:DR You need to become create a CA cert and then use that to sign your self signed cert. You can then add the CA cert to your system which will cause your other cert to be trusted.
First some background. For years now I have had servers here at the house that are only accessible through the local network. I use them for everything from VPN and file storage to web software development.
One of things that has always driven me up the wall was that since they don’t have domain names and aren’t public I can’t get them setup with a valid SSL cert. In the past that was just a matter of clicking through and dealing with it being annoying. Now that browsers like Chrome are starting to block you from visiting these kinds of sites it is a real issue.
For a long time I used the Chrome trick of typing in a special phrase to get past this, however in the Chrome source code it talks about how this is not recommended and that they will rotate the phrase to keep people from getting used to this.
So what is a guy to do? Become a Certificate Authority that’s what! I would love to say this was my idea, but it wasn’t. Credit where credit is due, JellicleCat posted the steps over on this stack overflow question. https://stackoverflow.com/questions/7580508/getting-chrome-to-accept-self-signed-localhost-certificate/60516812#60516812. Since this is already out there I am creating this post more for self reference and to help anyone else who may have come across the question. Also note that I have modified his steps a bit so that I don’t have to change file names after when working with the Apache2 install that comes with Macports. Which is an epic package manager for OS X or erm MacOS depending on the version.
Since my server has the certificates in /opt/local/etc/apache2/ I am going to be doing everything in that directory and using the names of the existing files. This means that I am able to just restart apache later on in the process. Keep in mind that if your not doing this you will have the extra step of installing the server certs before you can use them.
First let’s start by becoming a Certificate Authority by creating a CA cert we can sign with. Although you are limited to 1 year with an SSL cert for the site you are protecting, the same rule does not apply for the certificate authority. Below I have set the certificate authority to 10 years, which should be plenty.
# Generate private key $ openssl genrsa -des3 -out serverCA.key 2048 # Generate root certificate $ openssl req -x509 -new -nodes -key serverCA.key -sha256 -days 3650 -out serverCA.pem
Congratulations you are now a Certificate Authority! You can now use that authority to sign a certificate for your server!
# Use your own domain name $ NAME=mydomain.com # Generate a private key $ openssl genrsa -out server.key 2048 # Create a certificate-signing request $ openssl req -new -key server.key -out server.csr # Create a config file for the extensions $ >server.ext cat <<-EOF authorityKeyIdentifier=keyid,issuer basicConstraints=CA:FALSE keyUsage = digitalSignature, nonRepudiation, keyEncipherment, dataEncipherment subjectAltName = @alt_names [alt_names] DNS.1 = $NAME # Be sure to include the domain name here because Common Name is not so commonly honored by itself DNS.2 = *.$NAME # Optionally, add additional domains (I've added a wildcard subdomain here) IP.1 = XXX.XXX.XXX.XXX # Optionally, add an IP address (if the connection which you have planned requires it) if not delete this line EOF # Create the signed certificate $ openssl x509 -req -in server.csr -CA serverCA.pem -CAkey serverCA.key -CAcreateserial -out server.crt -days 365 -sha256 -extfile server.ext
Once you are done you can now validate that it all worked and that the domain you want to use will work. You can do so with the following:
$ openssl verify -CAfile serverCA.pem -verify_hostname YourDomain.Whatever server.crt
If all is well you will get a response of “server.crt: OK” and you are ready to move on to the next step!
Depending on the folder you did this all in you will either need to install the certificates or restart apache so it loads the new ones you created with the same name.
Ok now to get the CA pem file installed on the local machine. Start by downloading the Certifate Authority pem file from your server. If like me you are doing all this will SSH a good way to do this is with SCP which is just SSH for coping files.
$ scp YourUserName@ServerIpOrDomainName:/PathToPemFileOnServer/serverCA.pem /PathToWhereYouWantToPutFileOnLocalMachine/WhateverYouWantToCallTheFileOnYourLocalMachine.pem # In my use case it looks like this $ scp YourUserName@ ServerIpOrDomainName:/opt/local/etc/apache2/serverCA.pem ~/downloads/serverCA.pem
Now that you have the CA pem file on your machine, start by opening the KeyChain. Then go to the file menu and import. Locate the file CA pem file you just downloaded and select it.
Once you have imported the certificate find it your keychain and double click it. There will be 2 options with arrows next to them. The first is “Trust” which is most likely closed, if it is click the arrow to open the associated options. The only thing you need to change is to set “Secure Socket Layer ( SSL )” to “Always Trust”. It is also worth noting that isn’t a save button so once you change the value ti saves automatically. If you want to make sure it took you can close out of the detail view and go back to it again to double check.
That’s it! At this point you are done! You shouldn’t need to restart or even close Chrome. All you need to do now is to visit the servers webpage you setup with the Self Signed Certificate you created earlier!