Getting Chrome to accept self-signed localhost certificate

I have created a self-signed SSL certificate for the localhost CN. Firefox accepts this certificate after initially complaining about it, as expected. Chrome and IE, however, refuse to accept it, even after adding the certificate to the system certificate store under Trusted Roots. Even though the certificate is listed as correctly installed when I click "View certificate information" in Chrome's HTTPS popup, it still insists the certificate cannot be trusted.

What am I supposed to do to get Chrome to accept the certificate and stop complaining about it?

With only 5 openssl commands, you can accomplish this.

(Please don't change your browser security settings.)

With these commands, you can:

1. Become your own CA
2. Then sign your SSL certificate as a CA

Instructions:

1. Copy the code snippet into a new file.
2. Update the variable NAME (and optionally DNS.2 and IP.1) and save the file.
3. Run the script (e.g. bash generate_certs.sh). This will generate myCA.pem, $NAME.crt, and $NAME.key for you.
4. Then in your Chrome settings import the generated CA certificate (myCA.pem) as an "Authority" (not into "Your Certificates"): Settings > Manage certificates > Authorities > Import.
5. Use the generated $NAME.crt and $NAME.key files in your server for SSL/TLS.

NB: For Windows, some reports say that openssl must be run with winpty to avoid a crash.

######################
# Become a Certificate Authority
######################

# Generate private key
openssl genrsa -des3 -out myCA.key 2048
# Generate root certificate
openssl req -x509 -new -nodes -key myCA.key -sha256 -days 825 -out myCA.pem

######################
# Create CA-signed certs
######################

NAME=mydomain.example # Use your own domain name
# Generate a private key
openssl genrsa -out $NAME.key 2048
# Create a certificate-signing request
openssl req -new -key $NAME.key -out $NAME.csr
# Create a config file for the extensions
>$NAME.ext cat <<-EOF
authorityKeyIdentifier=keyid,issuer
basicConstraints=CA:FALSE
keyUsage = digitalSignature, nonRepudiation, keyEncipherment, dataEncipherment
subjectAltName = @alt_names
[alt_names]
DNS.1 = $NAME # Be sure to include the domain name here because Common Name is not so commonly honoured by itself
DNS.2 = bar.$NAME # Optionally, add additional domains (I've added a subdomain here)
IP.1 = 192.168.0.13 # Optionally, add an IP address (if the connection which you have planned requires it)
EOF
# Create the signed certificate
openssl x509 -req -in $NAME.csr -CA myCA.pem -CAkey myCA.key -CAcreateserial \
-out $NAME.crt -days 825 -sha256 -extfile $NAME.ext

Recap

1. Run the code snippet to (a) become a CA and (b) sign your certificate using your CA cert+key.
2. Import myCA.pem as an "Authority" in your Chrome settings (Settings > Manage certificates > Authorities > Import).
3. Use the $NAME.crt and $NAME.key files in your server.

You can check your work to ensure that the certificate is built correctly:

openssl verify -CAfile myCA.pem -verify_hostname bar.mydomain.example mydomain.example.crt

Extra steps for Mac

1. Import the CA cert at "File > Import file", then also find it in the list, right click it, expand "> Trust", and select "Always"
2. Add extendedKeyUsage=serverAuth,clientAuth below basicConstraints=CA:FALSE, and make sure you set the "CommonName" to the same as $NAME when it asks for setup.

Extra steps for Windows

1. Convert the myCA.pem to myCA.pfx by doing:

   openssl pkcs12 -export -out myCA.pfx -inkey myCA.key -in myCA.pem
   

2. Import the myCA.pfx into the Trusted Certificate Authorities of Windows by opening (double-click) the myCA.pfx file, selecting "Local Machine" and Next, Next again, enter the password and then Next, and select "Place all certificates int he following store:" and click on Browse and choose "Trusted Root Certification Authorities" and Next, and then Finish.

Now your CA certificate is trusted by Windows. When you import and use the $NAME certificate it will be automatically trusted by Windows and Chrome.