My main development workstation is a Windows 10 machine, so we'll approach this from that viewpoint.

Recently, Google Chrome started giving me warning when I open a site that uses https and self-signed certificate on my local development machine due to some SSL certificate issues like the one below:

or one that is described in this forum post which I originally got.

I made my self-signed certificate using MAKECERT utility previously. Apparenty, this tool does not support creating self-signed SSL certificate with Subject Alternative Name (SAN). If anyone knows different, please let me know.

So, after doing some searches, it seems that OpenSSL is the best solution for this.

If you are trying to use OpenSSL on Windows like me, you will probably scratching your head on where to start. Build from the repository? Ouch. That's like what they called yak shaving. I just want to quickly create my own damn self-signed certificate, not build a factory that can do that. Sure, there is binary installation avaiable here, but after getting it installed and trying to figure out how to make it run nicely with PowerShell, I gave up.

Luckily, Windows 10 now has the ability to run Ubuntu bash and after playing around with it, this seems to be the best way forward when using openssl.

To set it up, follow the instruction here.

To install openssl run the following command from the bash shell:

sudo apt-get install openssl

Once installed, you are ready to create your own self-signed certificate.

NOTE: SHA1 is being deprecated by major browsers, so please use SHA256 instead. So wherever there is a reference to ShA1 in the following guide, please replace it with SHA256.

To create your own Root Certificate and Self-Signed Certificate, follow this OpenSSL Ubuntu article. You can follow that guide quite safely until the portion they created .pfx file (before Using PKCS#12 Certificates in Client Applications section) or openssl pkcs12 -export -out ... -name "Certificate for Whatever" text. Once you reach that point, you should have a valid .pfx file that you can use from Windows.

1. In [ local_ca ] section, make sure you replace <username> with your Ubuntu username that you created when you setup Ubuntu on Windows 10. Mine for example is dir = /home/jchandra/myCA. NOTE: DO NOT USE ~/myCA. It does not work..
   Similarly, change the default_keyfile setting in [ req ] section to be the same.
2. Leave the [ local_ca_policy ] section alone. commonName = supplied, etc. are correct and not to be overwritten.
3. In [ req ] section, change default_md = sha1 to default_md = sha256.
4. In [ root_ca_distinguished_name ] section, replace all values to your own settings, for example, instead of leaving the commonName, stateOrProvinceName, etc. to the default values in that example, at work I changed it to the following to match my own company data:

[ root_ca_distinguished_name ]
commonName              = InvoiceSmash Dev Root Certificate Authority
stateOrProvinceName     = NSW
countryName             = AU
emailAddress            = [email protected]
organizationName        = Coupa
organizationUnitName    = InvoiceSmash

1. Change the values in [ server_distinguished_name ] section to match your own settings.
2. In [ alt_names ] section, change the value for DNS.0 and DNS.1 to whatever you need. In my case, I test my web application using https://localhost:44300, therefore the correct value for me is DNS.0 = localhost. I am not sure what to do with DNS.1 so, I just changed it to DNS.1 = invoicesmash.local. If so happen that I have a host entry in my hosts file that matches this (mapped to IP Address 127.0.0.1, it should still work.

It seems it is forbidden to touch the Linux Subsystem from Windows side, but you can touch Windows side from Linux side, so that's what we are going to do.

To copy the files from inside Ubuntu, you need to know where you want to copy the files to on Windows side. For example, if I want to copy the files to C:\certificates folder, I'd do something like cp {localhost.pfx,cacert.crt} /mnt/c/certificates.

See this faq if you want to know more about this.