Easily create local SSL certificates for development sites that work with you own Certificate Authority https://deliciousbrains.com/ssl-certificate-authority-for-local-https-development/

ssl.sh

#!/bin/sh

if [ "$#" -ne 1 ]
then
  echo "Usage: Must supply a domain"
  exit 1
fi

DOMAIN=$1

cd ~/certs

openssl genrsa -out $DOMAIN.key 2048
openssl req -new -key $DOMAIN.key -out $DOMAIN.csr

cat > $DOMAIN.ext << EOF
authorityKeyIdentifier=keyid,issuer
basicConstraints=CA:FALSE
keyUsage = digitalSignature, nonRepudiation, keyEncipherment, dataEncipherment
subjectAltName = @alt_names

[alt_names]
DNS.1 = $DOMAIN
DNS.2 = $DOMAIN.192.168.1.19.xip.io
EOF

openssl x509 -req -in $DOMAIN.csr -CA ../myCA.pem -CAkey ../myCA.key -CAcreateserial \
-out $DOMAIN.crt -days 1825 -sha256 -extfile $DOMAIN.ext

I use this for adding certifiacates to local sites with MAMP Pro

1. Create your own Certificate Authority https://deliciousbrains.com/ssl-certificate-authority-for-local-https-development/
2. Create a directory certs in your root directory
3. Download this bash file to your root
4. Copy the file to /usr/local/bin/: mv ssl.sh /usr/local/bin/ssl
5. Make it executable chmod u+x /usr/local/bin/ssl
6. Call it anywhere like ssl mydomain.dev (follow the prompts as per https://deliciousbrains.com/ssl-certificate-authority-for-local-https-development/#creating-ca-signed-certificates)
7. Add the cert to your host in MAMP Pro

Thanks for this -- definitely made the process of issuing signed certificates smooth. Do you happen to have a recommendation for how to adapt the $DOMAIN.ext config file if you're not using xip.io for wildcard DNS? I tried using just the internal IP of the host machine that I need to hit on my network, but that doesn't seem to be working and Chrome is still throwing a ERR_SSL_PROTOCOL_ERROR response. I confirmed that I have added myCA.pem (and adjusted trust level to 'always') to my system Keychain. I know there's no issue with the signed certificate itself because I can validate it against the CA I created...

Thanks for this -- definitely made the process of issuing signed certificates smooth. Do you happen to have a recommendation for how to adapt the $DOMAIN.ext config file if you're not using xip.io for wildcard DNS? I tried using just the internal IP of the host machine that I need to hit on my network, but that doesn't seem to be working and Chrome is still throwing a ERR_SSL_PROTOCOL_ERROR response. I confirmed that I have added myCA.pem (and adjusted trust level to 'always') to my system Keychain. I know there's no issue with the signed certificate itself because I can validate it against the CA I created...

Probably the error is not due to the internal IP mismatch but rather on how the certificate is issued. After a long search there are two things that need to change in order for the certificate to work:

1. Add this [ req_ext ] before subjectAltName = @alt_names, ending up with the .ext file looking like this:

authorityKeyIdentifier=keyid,issuer
basicConstraints=CA:FALSE
keyUsage = digitalSignature, nonRepudiation, keyEncipherment, dataEncipherment
[ req_ext ]
subjectAltName = @alt_names

[alt_names]
DNS.1 = $DOMAIN
DNS.2 = $DOMAIN.127.0.0.1

2. Change the last openssl command to:

openssl x509 -req -in $DOMAIN.csr -CA ../myCA.pem -CAkey ../myCA.key -CAcreateserial \
-out $DOMAIN.crt -days 1825 -sha256 -extfile $DOMAIN.ext -extensions req_ext

As mtz_federico mentions on the Delicious Brain article recently (Dec 19) macOS Catalina rejects certs valid for more than 825 days
https://deliciousbrains.com/ssl-certificate-authority-for-local-https-development/#post-4728028116

@polevaultweb thanks for the script