Creating Self-Signed SSL Certificates with Subject Alternative Name and Install as Trusted Certificate

Using IIS's 'Create Self-Signed Certificate' tool no longer generates a certificate that can be fully trusted by Chrome when installed as a trusted certificate.Chrome 58 and later requires a certificate to have a subject alternative name. These steps walk through generating and installing a self-signed certificate that can be fully trusted by chrome.

Create Self-Signed Certificate with Subject Alternative Name

1. Install OpenSSL for Windows if not already installed.

2. Use the BAT file to generate a self-signed certificate. Replace example with your domain, i.e. 'www.example' and dot with your top-level domain, i.e. com, org, local:

@echo off

REM IN YOUR SSL FOLDER, SAVE THIS FILE AS: makeCERT.bat
REM AT COMMAND LINE IN YOUR SSL FOLDER, RUN: makecert
REM IT WILL CREATE THESE FILES: example.cnf, example.crt, example.key
REM IMPORT THE .crt FILE INTO CHROME Trusted Root Certification Authorities
REM REMEMBER TO RESTART APACHE OR NGINX AFTER YOU CONFIGURE FOR THESE FILES

REM PLEASE UPDATE THE FOLLOWING VARIABLES FOR YOUR NEEDS.
SET HOSTNAME=example
SET DOT=com
SET COUNTRY=US
SET STATE=KS
SET CITY=Olathe
SET ORGANIZATION=IT
SET ORGANIZATION_UNIT=IT Department
SET EMAIL=webmaster@%HOSTNAME%.%DOT%

(
echo [req]
echo default_bits = 2048
echo prompt = no
echo default_md = sha256
echo x509_extensions = v3_req
echo distinguished_name = dn
echo:
echo [dn]
echo C = %COUNTRY%
echo ST = %STATE%
echo L = %CITY%
echo O = %ORGANIZATION%
echo OU = %ORGANIZATION_UNIT%
echo emailAddress = %EMAIL%
echo CN = %HOSTNAME%.%DOT%
echo:
echo [v3_req]
echo subjectAltName = @alt_names
echo:
echo [alt_names]
echo DNS.1 = *.%HOSTNAME%.%DOT%
echo DNS.2 = %HOSTNAME%.%DOT%
)>%HOSTNAME%.cnf

openssl req -new -x509 -newkey rsa:2048 -sha256 -nodes -keyout %HOSTNAME%.key -days 3560 -out %HOSTNAME%.crt -config %HOSTNAME%.cnf

Script original source: https://serverfault.com/a/850961/368731

3. Convert the certificate parts into a PFX file for easier usage in Windows.

openssl pkcs12 -export -out example.pfx -inkey example.key -in example.crt

 

Import Certificate as Trusted Root Certificate Authority

1. Open MMC.

2. Add the Certificates snap-in for the current user.

3. Browse to Certificates - Current User > Trusted Root Certification Authorities > Certificates

4. Import the example.pfx file

Don't forget to bind your certificate to your web server's website.

 

Share this post

Leave a comment

Filtered HTML

  • Web page addresses and e-mail addresses turn into links automatically.
  • Allowed HTML tags: <a> <em> <strong> <cite> <blockquote> <code> <ul> <ol> <li> <dl> <dt> <dd>
  • Lines and paragraphs break automatically.

Plain text

  • No HTML tags allowed.
  • Web page addresses and e-mail addresses turn into links automatically.
  • Lines and paragraphs break automatically.
CAPTCHA
This question is for testing whether or not you are a human visitor and to prevent automated spam submissions.
3 + 0 =
Solve this simple math problem and enter the result. E.g. for 1+3, enter 4.

About Us

Congruity Service is a technology solutions company bringing the best technology solutions to OpenInsight projects, Drupal sites, servers, networks, and your technology needs.