Skip to content

Instantly share code, notes, and snippets.

Show Gist options
  • Save croxton/ebfb5f3ac143cd86542788f972434c96 to your computer and use it in GitHub Desktop.
Save croxton/ebfb5f3ac143cd86542788f972434c96 to your computer and use it in GitHub Desktop.
Generate ssl certificates with Subject Alt Names

Generate ssl certificates with Subject Alt Names on OSX

Open ssl.conf in a text editor.

Edit the domain(s) listed under the [alt_names] section so that they match the local domain name you want to use for your project, e.g.

DNS.1   = my-project.dev

Additional FQDNs can be added if required:

DNS.1   = my-project.dev
DNS.2   = www.my-project.dev
DNS.3   = fr.my-project.dev

Create a directory for your project, e.g. my_project and save ssl.conf inside it.

Open Terminal and navigate to 'my_project':

cd my_project

Generate a private key:

openssl genrsa -out private.key 4096

Generate a Certificate Signing Request

openssl req -new -sha256 \
    -out private.csr \
    -key private.key \
    -config ssl.conf 

(You will be asked a series of questions about your certificate. Answer however you like, but for 'Common name' enter the name of your project, e.g. my_project)

Now check the CSR:

openssl req -text -noout -in private.csr

You should see this:

X509v3 Subject Alternative Name: DNS:my-project.site and Signature Algorithm: sha256WithRSAEncryption

Generate the certificate

openssl x509 -req \
    -sha256 \
    -days 3650 \
    -in private.csr \
    -signkey private.key \
    -out private.crt \
    -extensions req_ext \
    -extfile ssl.conf

Add the certificate to keychain and trust it:

sudo security add-trusted-cert -d -r trustRoot -k /Library/Keychains/System.keychain private.crt

(Alternatively, double click on the certificate file private.crt to open Keychain Access. Your project name my_project will be listed under the login keychain. Double click it and select 'Always trust' under the 'Trust' section.)

If you are using MAMP Pro, add (or edit) a host with the server name you listed under the [alt_names] section of your ssl.conf. On the SSL tab select the Certificate file and Certificate key that you just generated.

Save changes and restart Apache.

[ req ]
default_bits = 4096
distinguished_name = req_distinguished_name
req_extensions = req_ext
[ req_distinguished_name ]
countryName = Country Name (2 letter code)
countryName_default = GB
stateOrProvinceName = State or Province Name (full name)
stateOrProvinceName_default = England
localityName = Locality Name (eg, city)
localityName_default = Brighton
organizationName = Organization Name (eg, company)
organizationName_default = Hallmarkdesign
commonName = Common Name (e.g. server FQDN or YOUR name)
commonName_max = 64
commonName_default = localhost
[ req_ext ]
subjectAltName = @alt_names
[alt_names]
DNS.1 = your-website.dev
DNS.2 = another-website.dev
@v-andrius
Copy link

one liner to generate self-signed certificate with subjectAltName for testing:

openssl req -new -newkey rsa:2048 -nodes \
  -subj "/C=GB/ST=England/L=Brighton/O=Example/CN=*.example.com/[email protected]" \
  -reqexts SAN \
  -config <(cat /etc/ssl/openssl.cnf \
        <(printf "\n[SAN]\nsubjectAltName=DNS:example.com,DNS:www.example.com")) \
  -keyout example_com.key \
  -x509 -days 3650 -extensions SAN -out example_com.crt

Verify certificate:

openssl x509 -in /tmp/example.com.crt -noout -text

@wiwan-wijoyo
Copy link

Thanks, it worked..

@kevinsulatra
Copy link

Thank you very much. It worked.

@masayyed
Copy link

masayyed commented Dec 22, 2021

Thanks Thanks a lot man.

@amcginlay
Copy link

Particular thanks for this bit.

openssl x509 -req \
    ...
    -extensions req_ext \
    -extfile ssl.conf

I looked far and wide for a way to transition usages from CSR to Certificate, and this was it.

@wibed
Copy link

wibed commented Aug 5, 2023

id like to chip in. found this one liner

openssl req \
  -x509 \
  -newkey rsa:4096 \
  -sha256 \
  -days 3560 \
  -nodes \
  -keyout tls.key 
  -out tls.crt \                  
  -subj '/CN=localhost' \
  -extensions san \
  -config <(cat << EOF
[req]
distinguished_name=req
[san]
subjectAltName=@alt_names
[alt_names]
DNS.1=localhost
EOF
)

im currently debugging so am not sure if this works, but i like the format

@lordent
Copy link

lordent commented Mar 3, 2024

My no-brain one script solution on python with short instructions, may be save time for someone

Just run python ssl_certificate_generator.py that's all

https://github.com/lordent/develop_certificate_generator/blob/main/ssl_certificate_generator.py

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment