Last active
March 2, 2023 20:20
-
-
Save NeilJS/1f66fc49fce5869620b531c5577c2f18 to your computer and use it in GitHub Desktop.
Generate self-signed ssl cert (Virtualbox Ubuntu) - fix for Chrome 58 requirement for subjectAltName / Subject Alternative Name
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # Update refs to .example.com | |
| sudo su | |
| openssl req -x509 -nodes -sha256 -days 3650 -newkey rsa:2048 -keyout /etc/apache2/ssl/apache.key -new -out /etc/apache2/ssl/apache.crt -subj /C=GB/ST=London/L=London/O="Company Name"/OU=Team/CN=www.example.com -reqexts SAN -extensions SAN -config <(cat /usr/lib/ssl/openssl.cnf <(printf '[ SAN ]\nsubjectAltName=DNS:www.example.com,DNS:example.com,DNS:*.example.com')) | |
| exit | |
| sudo service apache2 restart | |
| # On Windows, trust the certificate: save the new certificate from Chrome to desktop (via Devtools > Security > View > Details > Copy to file; use DER option) | |
| # May need to delete any previously imported certificates via mmc (on Windows) | |
| # Run mmc; add the Certificates snap-in; import from desktop to 'Trusted Roots Certification Authorities' and also 'Other People' | |
| # May need to clear Chrome history + SSLs (Settings > Network > Change proxy settings... > Content > Clear SSL state) | |
| #-keyout /etc/apache2/ssl/apache.key may instead be -keyout /etc/ssl/private/www.example.com.key | |
| #-out /etc/apache2/ssl/apache.crt may instead be -out /etc/ssl/certs/www.example.com.crt | |
| # ^ Above two lines depend on path - this path may be defined in the vhosts file, eg: /etc/apache2/sites-available/example.ssl.conf | |
| # - look for SSLCertificateFile and SSLCertificateKeyFile | |
| # If there is no other location for ssl certificates, create an ssl folder: sudo mkdir /etc/apache2/ssl | |
| # If certificate still appears to be issued by ubuntu then it is likely that the default-ssl.conf file is also still in use. Disable it: sudo a2dissite default-ssl.conf | |
| # Links... | |
| # https://www.digitalocean.com/community/tutorials/how-to-create-a-ssl-certificate-on-apache-for-ubuntu-14-04 | |
| # http://stackoverflow.com/questions/10175812/how-to-create-a-self-signed-certificate-with-openssl/27931596#27931596 | |
| Alt (vm2): | |
| openssl req -x509 -nodes -sha256 -days 3650 -newkey rsa:2048 -keyout /etc/ssl/private/www.example.com.key -new -out /etc/ssl/certs/www.example.com.crt -subj /C=GB/ST=London/L=London/O="Company Name"/OU=Team/CN=*.example.com -reqexts SAN -extensions SAN -config <(cat /usr/lib/ssl/openssl.cnf <(printf '[ SAN ]\nsubjectAltName=DNS:www.example.com,DNS:example.com,DNS:*.example.com')) |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment