The Coding Notebook
Memorable coding moments of a software engineer
Generating Self-Signed SSL certificates for development
Howto: generate multi-domain self-signed certificates (and use with nginx)
# Intro Often it is required to generate self-signed certificates to be used during development, this is a way to do it on a Linux machine (WSL is good too). **NOTE:** Do NOT use such certificates in production - such certificates are not trusted by browsers. ## Step 1: Copy conf template ```sh cd ~ cp /usr/lib/ssl/openssl.cnf . ``` ## Step 2: Edit the conf file adding domains Edit the file above, insert the following line immediately BEFORE the “HOME” entry: ```txt SAN="email:your-email@domain.com" ``` Add the following line immediately AFTER the `[ v3_req ]` and `[ v3_ca ]` section markers: (add as much domains as needed) ``` subjectAltName=DNS:sub1.domain.com,DNS:sub2.domain.com ``` ## Step 3: Generate the certificate ```sh openssl req -new -x509 -sha256 -days 365 -nodes -out cert.pem -keyout cert_key.pem -config openssl.cnf ``` To view the cert: ```sh openssl x509 -in cert.pem -noout -text ``` # Use certificate in Nginx In step 3 we generated 2 files, `cert.pem` and `cert_key.pem`, copy them to where you like having your certificates, `/etc/nginx/ssl` is a good place. Next we'll use these files in our nginx config. Edit the nginx conf file (usually `/etc/nginx/nginx.conf` but it really depends on your setup). Find the `server` section and add the ssl conf: ``` server { server_name: domain.com; listen 80; # SSL listen 443 ssl; ssl_certificate /etc/nginx/ssl/cert.pem; ssl_certificate_key /etc/nginx/ssl/cert_key.pem; } ``` ## Add to "trusted certificates" on Windows If you'll try to browse to a site using that certificate Chrome will give error as the certificate is not trusted. In order to "trust" this certificate: 1. Using chrome, browse to some site that is using the certificate 1. Click on "View Certificate" 1. Click on "Copy to File..." and save the certificate as a ".der" file 1. open Windows "Manage User Certificates" settings 1. Right-click on "Trusted Root Certification Authoroties/Certificates" -> All Tasks -> Import 1. select the saved certificate from above 1. restart chrome