Generate new SSL certificate using SAN for localhost

Posted by Damodar Bashyal on July 19, 2017

 

SSH into your server and follow below steps:

NOTE: I am logged in as root, so I haven't used SUDO.

Google Chrome Browser Certificate Export

  • $ openssl genrsa -out rootCA.key 2048
  • $ openssl rsa -in rootCA.key -out rootCA.key

  • Create a file san.cnf with following content

    [ req ] 
default_bits=2048 
prompt=no 
default_md=sha256 
distinguished_name=req_distinguished_name 
[ req_distinguished_name ] 
C=AU 
ST=NSW 
L=Arncliffe 
O=Test 
Organization 
OU=IT 
[email protected] 
CN=localhost
  • $ openssl req -new -nodes -key rootCA.key -sha256 -days 1024 -out rootCA.pem -config <(cat san.cnf)
  • $ openssl req -new -sha256 -nodes -out server.csr -newkey rsa:2048 -keyout rootCA.key -config <(cat san.cnf)

  • Create a file v3.ext with following content

    authorityKeyIdentifier=keyid,issuer
basicConstraints=CA:FALSE
keyUsage = digitalSignature, nonRepudiation, keyEncipherment, dataEncipherment
subjectAltName = @alt_names
[alt_names]
DNS.1 = local.dltr.org
DNS.2 = cdn1.dltr.org
DNS.3 = cdn2.dltr.org
DNS.4 = cdn3.dltr.org
DNS.5 = local.technooze.com
DNS.6 = cdn1.technooze.com
DNS.7 = cdn2.technooze.com
DNS.8 = cdn3.technooze.com

  • $ openssl x509 -req -in rootCA.pem -signkey rootCA.key -out server.crt -days 1024 -sha256 -extfile v3.ext
  • $ cp rootCA.key /etc/ssl/private/
  • $ cp server.crt /etc/ssl/certs/
  • $ nano /etc/httpd/conf.d/ssl.conf

    Then update these lines with new key and crt filenames:

    SSLCertificateFile /etc/ssl/certs/server.crt
SSLCertificateKeyFile /etc/ssl/private/rootCA.key

  • $ service httpd restart

  • goto chrome browser and enter chrome://restart

  • Visit your website and Press F12.

  • Click on 'Security' Tab on chrome's inspect window.

  • Click on 'View certificate' and then goto 'Details' tab on certificate window and make sure you can see "Subject Alternative Name"

  • Click on 'Copy to File' and follow Certificate Export Wizard and select "Cryptographic Message Syntax Standard -PKCS #7 Certificates (.P7B)" and tick "Include all certificates in the certification path if possible"

  • Once you save it as P7B file, type mmc on windows run command (windows + R)

    windows mmc import local ssl certificate

  • Click on 'File' / 'Add/Remove Snap-in...'

  • Select 'Certificates' from Available snap-ins and then click 'Add'.

  • Select 'Computer Account' / Next / Local computer: (the computer this console is running on) / Finish / OK

  • Right click on 'Certificates' (which is under Console Root / Trusted Root Certification Authorities) and click on (All Tasks / 'import').

  • Follow Certificate Import Wizard and import PreviouslyExportedCertificate.P7B file.

Now restart your chrome browser again and once website reloads, check your localhost. You should have green https:// with a secure lock.

This Fixed Issues Related To:

  1. * Chrome: Invalid self signed SSL cert - Subject Alternative Name Missing
  2. * Getting Chrome to accept self-signed localhost certificate
  3. * Create self signed certificate with subjectAltName to fix [missing_subjectAltName] in Chrome 58+

 

 
not published on website


QR Code: Generate new SSL certificate using SAN for localhost