January 30, 2020

Self-Signed Certificates that Work in Chrome

Creating a self-signed certificate is quite simple. However, Google Chrome flags most of them as insecure and doesn't even give you the "proceed" button/link.

In order to make it work, you need to add -addext "extendedKeyUsage = serverAuth" in the openssl command. Here is a complete example

openssl req \
  -x509 \
  -nodes \
  -days 365 \
  -newkey rsa:2048 \
  -keyout server.key \
  -out server.crt \
  -addext "extendedKeyUsage = serverAuth"

This command will give you two files: server.key and server.crt.

If you want to run the same command in a non-interactive mode you just add -subj "/C=US/ST=State/L=Locality/O=Organization/CN=www.example.com"