OpenSSL: Create a Self-Signed Certificate

Before running the OpenSSL command to generate a self-signed certificate, we need to create a certificate configuration file which specifies the certificate bits and the Subject Alternative Names.

  • The Subject Alt Names are required in Google Chrome 58 and later, and is used to match the domain name and the certificate.

  • If the domain name is not listed in the certificate's Subject Alternative Names list, you'll get a NET::ERR_CERT_COMMON_NAME_INVALID error message.

Create a certificate configuration file zone.conf with the following content

[req]
default_bits = 2048
default_keyfile = zone.key
distinguished_name = req_distinguished_name
req_extensions = req_ext
x509_extensions = v3_ca
[req_distinguished_name]
countryName = Country Name (2 letter code)
countryName_default = LK
stateOrProvinceName = State or Province Name (full name)
stateOrProvinceName_default = Western Province
localityName = Locality Name (eg, city)
localityName_default = Colombo
organizationName = Organization Name (eg, company)
organizationName_default = ZONE24X7 (PVT) LTD
organizationalUnitName = organizationalunit
organizationalUnitName_default = Infrastructure
commonName = Common Name (e.g. server FQDN or YOUR name)
commonName_default = zone24x7.lk
commonName_max = 64
[req_ext]
subjectAltName = @alt_names
[v3_ca]
subjectAltName = @alt_names
[alt_names]
DNS.1 = localhost
DNS.2 = zone24x7.lk
DNS.3 = *.zone24x7.lk
IP.1 = 127.0.0.1

Generate the certificate using OpenSSL

sudo openssl req -x509 -nodes -days 365 -newkey rsa:2048 -keyout zone.key -out zone.crt -config zone.conf

Configure Chrome to trust the certificate and to show the site as secure by adding above self-signed certificate into the Windows trusted CA root store.

certutil.exe -addstore "Root" .\zone.crt

Generate .PFX file from the Certificate and Private Key.

openssl pkcs12 -export -out zone.pfx -inkey zone.key -in zone.crt

References: