Setting up a multi-domain self-signed SSL certificate

Today I got annoyed by the fact that our development server was running everything over http while our production server was running everything over https. I was annoyed because every time I had to create a URL there had to be a condition in there to check which environment we’re on and whether to add an ‘s’ for https. It bloats the code, and it’s not even business logic, it’s a technical problem that shouldn’t be solved at the level we were solving it at.

We had thought about running everything locally over https before, but thought that we’d get the ‘This is probably not the site you are looking for!’ warning in Chrome every time we visited our development site. We didn’t think about any more and dismissed the idea.

Today I got the idea it should be possible to install an SSL certificate on my local machine (Windows 7) to say that I trust that certificate and that chrome shouldn’t bother me about it.

So I looked it up and indeed it’s quite easy to do once you know how.

  • Go to the website with the self-signed certificate and accept the error message
  • Click on the striked through ‘https’ in the omnibar (or address bar)
  • Click the ‘Connection’ tab and then ‘Certificate information’
  • Go to the ‘Details’ tab, and click ‘Copy to file …’ in the bottom right corner of that dialog
  • Select a path to save the certificate and save it
  • Go to “run” in windows and type “certmgr.msc”, then enter
  • In certmgr, click ‘Trusted Root Certification Authorities’ and then ‘Certificates’
  • With ‘Certificates’ selected, select ‘Action’ in the menu bar, and then ‘All tasks’ and then ‘Import’
  • Follow the wizard and select the file you saved in step 5
  • Restart chrome, go to your development site and all should work fine without any warning! If it doesn’t, try rebooting your computer and try again.

So now that we know that, we need to create a certificate for our development server (Linux, CentOS 7 in our case). In our case we have multiple domains we host and I didn’t want to create a separate certificate for all them, since that would take me quite some time to set up, so I looked for a way to get a single certificate to use for all our development domains.

This is also not very hard to do, but takes some time to figure out how to do it right (as I find it usually is with openssl).

First you need to create a configuration file with the details of your certificate, for example mysite.cnf

Here is a simple template to get you started:

distinguished_name = req_distinguished_name
x509_extensions = v3_req
prompt = no

C = <Country>
ST = <Province>
L = <City>
O = <Organisation>
CN = <Primary Domain>

subjectKeyIdentifier = hash
authorityKeyIdentifier = keyid,issuer
basicConstraints = CA:TRUE
subjectAltName = @alt_names

DNS.1 = <Primary Domain>
DNS.2 = <2nd Domain>
DNS.3 = <3rd Domain>
DNS.4 = <4th Domain>
## on so on, and so forth.

So for primary domain you enter the main domain of your development server (or one at random, it doesn’t really matter). And then you can add additional domain names in the [alt_names] section.

Once you have this file, run

openssl genrsa -out mysite.key 3072 -nodes
openssl req -new -x509 -key mysite.key -sha256 -config mysite.cnf -out mysite.crt -days 730

(where mysite.cnf is the file above).

Once this is done point your http server to the SSL files, restart it, and you’re good to go!


Categories: ssl

Tags: ssl, self-signed, windows, linux