Fix: Self-Signed SSL Certificates Not Trusted in Browsers

TL;DR

Browsers often don’t trust self-signed SSL certificates, especially for local development. This guide shows you how to add your own Certificate Authority (CA) to trusted stores on Windows, macOS and Linux so browsers will accept certificates you create.

Step 1: Create Your Own CA

You’ll need OpenSSL installed. Most Linux distributions have it by default. For Windows, download from a reputable source like slp-auto or use WSL.

1. Generate the CA Private Key: This should be kept very secure.

   openssl genrsa -out ca.key 2048

2. Create a Self-Signed CA Certificate: Fill in the details as prompted. The Common Name (CN) is important; use something descriptive like “My Local CA”.

   openssl req -x509 -new -nodes -key ca.key -sha256 -days 3650 -out ca.crt

Step 2: Add the CA Certificate to Your Trusted Stores

This is where things differ depending on your operating system.

Windows

1. Open mmc.exe: Press Win+R, type “mmc”, and press Enter.
2. Add the Certificates Snap-in: File > Add/Remove Snap-in… Select “Certificates” and click Add. Choose “Local Computer account”. Select “Trusted Root Certification Authorities” and click Finish.
3. Import Your CA Certificate: Right-click on “Trusted Root Certification Authorities”, select “All Tasks” > “Import…”. Follow the wizard, selecting your ca.crt file when prompted. Make sure to choose the correct store (Trusted Root Certification Authorities).

macOS

1. Open Keychain Access: Search for it in Spotlight.
2. Import Your CA Certificate: Drag and drop your ca.crt file into the Keychain Access window.
3. Trust the Certificate: Double-click on the imported certificate. Expand “Trust”. Change “When using this certificate” to “Always Trust”. You may need to enter your password.

Linux (Debian/Ubuntu)

1. Copy the CA Certificate: Copy ca.crt to a suitable location, like /usr/local/share/ca-certificates/.

   sudo cp ca.crt /usr/local/share/ca-certificates/

2. Update the Certificate Store:

   sudo update-ca-certificates

Linux (Other Distributions)

The process varies. Consult your distribution’s documentation for adding CA certificates. Common tools include certutil or manually editing the trusted store files.

Step 3: Generate a Certificate for Your Local Host

1. Create a Private Key for Your Host:

   openssl genrsa -out localhost.key 2048

2. Create a Certificate Signing Request (CSR): Fill in the details, using your local hostname as the Common Name (CN). For example, “localhost”.

   openssl req -new -key localhost.key -out localhost.csr

3. Sign the CSR with Your CA:

   openssl x509 -req -in localhost.csr -CA ca.crt -CAkey ca.key -CAcreateserial -out localhost.crt -days 365 -sha256

Step 4: Configure Your Web Server

Configure your web server (e.g., Apache, Nginx) to use the generated localhost.key and localhost.crt files for HTTPS.

Step 5: Restart Your Browser

Close all browser windows and restart them. The self-signed certificate should now be trusted.

Troubleshooting

• Certificate Not Found: Double-check that the CA certificate is correctly installed in your trusted store.
• Hostname Mismatch: Ensure the Common Name (CN) on your host certificate matches the hostname you’re using to access the site.
• Browser Cache: Clear your browser cache and cookies.