Generate new SSL certificate using SAN for localhost

Posted by Damodar Bashyal on July 19, 2017


SSH into your server and follow below steps:

NOTE: I am logged in as root, so I haven't used SUDO.

Google Chrome Browser Certificate Export

  • $ openssl genrsa -out rootCA.key 2048
  • $ openssl rsa -in rootCA.key -out rootCA.key
  • Create a file san.cnf with following content

    [ req ] 
    [ req_distinguished_name ] 
    [email protected] 
  • $ openssl req -new -nodes -key rootCA.key -sha256 -days 1024 -out rootCA.pem -config <(cat san.cnf)
  • $ openssl req -new -sha256 -nodes -out server.csr -newkey rsa:2048 -keyout rootCA.key -config <(cat san.cnf)
  • Create a file v3.ext with following content

    keyUsage = digitalSignature, nonRepudiation, keyEncipherment, dataEncipherment
    subjectAltName = @alt_names
    DNS.1 =
    DNS.2 =
    DNS.3 =
    DNS.4 =
    DNS.5 =
    DNS.6 =
    DNS.7 =
    DNS.8 =
  • $ openssl x509 -req -in rootCA.pem -signkey rootCA.key -out server.crt -days 1024 -sha256 -extfile v3.ext
  • $ cp rootCA.key /etc/ssl/private/
  • $ cp server.crt /etc/ssl/certs/
  • $ nano /etc/httpd/conf.d/ssl.conf

    Then update these lines with new key and crt filenames:

    SSLCertificateFile /etc/ssl/certs/server.crt
    SSLCertificateKeyFile /etc/ssl/private/rootCA.key
  • $ service httpd restart
  • goto chrome browser and enter chrome://restart

  • Visit your website and Press F12.

  • Click on 'Security' Tab on chrome's inspect window.

  • Click on 'View certificate' and then goto 'Details' tab on certificate window and make sure you can see "Subject Alternative Name"

  • Click on 'Copy to File' and follow Certificate Export Wizard and select "Cryptographic Message Syntax Standard -PKCS #7 Certificates (.P7B)" and tick "Include all certificates in the certification path if possible"

  • Once you save it as P7B file, type mmc on windows run command (windows + R)

    windows mmc import local ssl certificate

  • Click on 'File' / 'Add/Remove Snap-in...'

  • Select 'Certificates' from Available snap-ins and then click 'Add'.

  • Select 'Computer Account' / Next / Local computer: (the computer this console is running on) / Finish / OK

  • Right click on 'Certificates' (which is under Console Root / Trusted Root Certification Authorities) and click on (All Tasks / 'import').

  • Follow Certificate Import Wizard and import PreviouslyExportedCertificate.P7B file.

Now restart your chrome browser again and once website reloads, check your localhost. You should have green https:// with a secure lock.

This Fixed Issues Related To:

  1. * Chrome: Invalid self signed SSL cert - Subject Alternative Name Missing
  2. * Getting Chrome to accept self-signed localhost certificate
  3. * Create self signed certificate with subjectAltName to fix [missing_subjectAltName] in Chrome 58+


not published on website

QR Code: Generate new SSL certificate using SAN for localhost