Revisiting SSL for Development
Whoever is careless with the truth in small matters cannot be trusted with important matters.Albert Einstein
With the release of Chrome 62 any site that you visit with any form of user input which does not have a valid SSL certificate will add a note to the address bar saying "Not secure". This is a step towards secure by default but not everybody is keen for this to happen.
So how do we get rid of the warning on our local development machines? In our previous blog post we looked at getting certificates for your local machine using makecert. However since Chrome 58/Firefox 48 CN matching has been deprecated - browsers require that certificates include hostname(s) in the SubjectAltName field and values in the subject field are ignored. This means we cannot use makecert to generate our certificates as it is unable to populate the required fields
Fortunately there are tools out there to save us. OpenSSL is an open source, robust and full-featured toolkit for the Transport Layer Security (TLS) and Secure Sockets Layer (SSL) protocols. With it we can generate certificates that satisfy the needs of modern browsers. To begin with we will put together a config file with the fields we want in our certificate. This should be in INI format.
[req] distinguished_name = req_distinguished_name x509_extensions = v3_req prompt = no [req_distinguished_name] C = UK ST = NA L = Dev O = YOUR ORGANISATION LTD OU = Development CN = YOUR NAME FOR THIS AUTHORITY [v3_req] keyUsage = keyEncipherment, dataEncipherment, nonRepudiation extendedKeyUsage = serverAuth subjectAltName = @alt_names [alt_names] DNS.1 = dev.api.yoursite.com DNS.2 = dev.api.yoursite.io DNS.3 = dev.www.yoursite.com DNS.4 = dev.www.yoursite.io IP.1 = 127.0.0.1
The alt_names section should have all of the URL's that you want the certificate to apply to and include any IP's that you want the certificate to cover. With a configuration prepared we next need to request a certificate to use as a local authority and use that to generate a usable certificate.
openssl.exe req -x509 -nodes -days 3650 -newkey rsa:4096 -keyout YourAuthority.pem -out YourAuthority.pem -config site_details.cfg openssl.exe pkcs12 -export -out OUTFILE.pfx -in YourAuthority.pem -name "Certificate Name (DEV)" -passout pass:YOURPASSWORD
We have now generated a PKCS12 (PFX) certificate which IIS can understand. To make it easier to get that certificate into IIS we can use certutil to import it into the user and local storage. This certificate acts as both a valid SSL certificate in IIS and also as it's own authority.
certutil -f -user -p YOURPASSWORD -enterprise -importpfx root "OUTFILE.pfx" certutil -p YOURPASSWORD -importpfx "OUTFILE.pfx"
Configure your site to use your certificate via the bindings option in the IIS snap in. This is enough for Chrome to give you a green "Secure" padlock. For Firefox we need to add an exception for our site as it is self signed and then we will get the green "Secure" padlock.
Find this post useful? Follow us on Twitter