Generating self-signed HTTPS certificates with subjectAltNamesPosted by Dylan Beattie on 07 August 2017 • permalink
We provide online services via a bunch of different websites, using federated authentication so that if you sign in to our authentication server, you get a *.mydomain.com cookie that’s sent to any other server on our domain.
We use local wildcard DNS, so there’s a *.mydomain.com.local record that resolves everything to 127.0.0.1, and for each developer machine we create a *.mydomain.com.hostname record that’s an alias for hostname, so you can browse to www.mydomain.com.<machine> to see code running on another developer’s workstation, or www.mydomain.com.local to view your own local development code.
This works pretty well, but getting a local development system set up involves running local versions of several different apps – and since Google Chrome now throws a security error for any HTTPS site whose certificate doesn’t include a “subject alternative name” field, getting a bunch of local sites all happily sharing the same cookies over HTTPS proved a bit fiddly.
So… here’s a batch file that will spit out a bunch of very useful certificates, adapted from this post on serverfault.com.
How it works
- Get openssl.exe working - I use the version that's shipped with Cygwin, installed into C:\Windows\Cygwin64\bin\ and added to my system path.
- Run makecert.bat. If you don't want to specify a password, just provide a blank one (press Enter). This will spit out three files:
- Double-click the local_and_hostname.crt file, click "Install Certificate", and use the Certificate Import Wizard to import it. Choose "Local Machine" as the Store Location, and "Trusted Root Certification Authorities" as the Certificate Store.
- Open IIS, select your machine, open "Server Certificates" from the IIS snapin, click "Import..." in the Actions panel
- Select the local_and_hostname.pfx certificate created by the batch file. If you used a password when exporting your PKCS12 (.pfx) file, you'll need to provide it here
- Finally, set up your IIS HTTPS bindings to use your new certificate.