Creating Self-Signed SSL Certificates with Subject Alternative Name and Install as Trusted Certificate
Using IIS's 'Create Self-Signed Certificate' tool no longer generates a certificate that can be fully trusted by Chrome when installed as a trusted certificate.Chrome 58 and later requires a certificate to have a subject alternative name. These steps walk through generating and installing a self-signed certificate that can be fully trusted by chrome.
Create Self-Signed Certificate with Subject Alternative Name
1. Install OpenSSL for Windows if not already installed.
2. Use the BAT file to generate a self-signed certificate. Replace example with your domain, i.e. 'www.example' and dot with your top-level domain, i.e. com, org, local:
@echo off REM IN YOUR SSL FOLDER, SAVE THIS FILE AS: makeCERT.bat REM AT COMMAND LINE IN YOUR SSL FOLDER, RUN: makecert REM IT WILL CREATE THESE FILES: example.cnf, example.crt, example.key REM IMPORT THE .crt FILE INTO CHROME Trusted Root Certification Authorities REM REMEMBER TO RESTART APACHE OR NGINX AFTER YOU CONFIGURE FOR THESE FILES REM PLEASE UPDATE THE FOLLOWING VARIABLES FOR YOUR NEEDS. SET HOSTNAME=example SET DOT=com SET COUNTRY=US SET STATE=KS SET CITY=Olathe SET ORGANIZATION=IT SET ORGANIZATION_UNIT=IT Department SET EMAIL=webmaster@%HOSTNAME%.%DOT% ( echo [req] echo default_bits = 2048 echo prompt = no echo default_md = sha256 echo x509_extensions = v3_req echo distinguished_name = dn echo: echo [dn] echo C = %COUNTRY% echo ST = %STATE% echo L = %CITY% echo O = %ORGANIZATION% echo OU = %ORGANIZATION_UNIT% echo emailAddress = %EMAIL% echo CN = %HOSTNAME%.%DOT% echo: echo [v3_req] echo subjectAltName = @alt_names echo: echo [alt_names] echo DNS.1 = *.%HOSTNAME%.%DOT% echo DNS.2 = %HOSTNAME%.%DOT% )>%HOSTNAME%.cnf openssl req -new -x509 -newkey rsa:2048 -sha256 -nodes -keyout %HOSTNAME%.key -days 3560 -out %HOSTNAME%.crt -config %HOSTNAME%.cnf
Script original source: https://serverfault.com/a/850961/368731
3. Convert the certificate parts into a PFX file for easier usage in Windows.
openssl pkcs12 -export -out example.pfx -inkey example.key -in example.crt
Import Certificate as Trusted Root Certificate Authority
1. Open MMC.
2. Add the Certificates snap-in for the current user.
3. Browse to Certificates - Current User > Trusted Root Certification Authorities > Certificates
4. Import the example.pfx file
Don't forget to bind your certificate to your web server's website.
Leave a comment