Creating a cert
1) Construct a requirement config and save the file as "req.conf".
[req]
distinguished_name = req_distinguished_name
x509_extensions = v3_req
prompt = no
[req_distinguished_name]
C = MY
ST = Kuala Lumpur
L = Kuala Lumpur
O = Company Name
CN = localhost
[v3_req]
keyUsage = digitalSignature, keyEncipherment, dataEncipherment
extendedKeyUsage = serverAuth
subjectAltName = @alt_names
[alt_names]
DNS.1 = localhost.abc
DNS.2 = localhost
2) It is important to include "digitalSignature" in the keyUsage field, otherwise modern browsers would block the cert.
3) Run the following OpenSSL command to generate the certificate. Replace the "days" value as needed.
openssl req -x509 -nodes -days 365 -newkey rsa:2048 -keyout key.pem -out certificate.pem -config req.conf -extensions 'v3_req'
4) Run the following OpenSSL command to get the P12 format.
openssl pkcs12 -inkey key.pem -in certificate.pem -export -out certificate.p12
If this certificate is also used on older system (E.g. Windows 7), please include the -legacy option.
openssl pkcs12 -legacy -inkey key.pem -in certificate.pem -export -out certificate.p12
5) Or if you need a JKS format.
keytool -importkeystore -srckeystore certificate.p12 -srcstoretype pkcs12 -destkeystore certificate.jks -deststoretype jks
Install Cert on MacOS
1) Go to the "Keychain Access" App on your device.
2) Select "Files", then "Import Items".
3) Select the cert file that you created earlier.
4) Double clicks on the imported cert and expand the trust section
5) Set it to "Always Trust".
6) Now you can try to access the HTTPS URL from your browser, and it should be trusted.