How to Create a Trusted Self‑Signed SSL Certificate for Internal IP Access with OpenSSL and Nginx

OpenSSL Self‑Signed Certificate

Install OpenSSL and create a directory for private keys.

yum install openssl openssl-devel -y
mkdir -pv /etc/ssl/private

Generate a private key and CSR for the internal IP (e.g., 192.168.199.104).

cd /etc/ssl/private/
openssl req -new -newkey rsa:2048 -sha256 -nodes -out 192.168.199.104.csr -keyout 192.168.199.104.key -subj "/C=CN/ST=Beijing/L=Beijing/O=Super Inc./OU=Web Security/CN=192.168.199.104"
openssl x509 -req -days 365 -in 192.168.199.104.csr -signkey 192.168.199.104.key -out 192.168.199.104.crt

Create an extension file (http.ext) to add required usages and subject alternative names.

keyUsage = nonRepudiation, digitalSignature, keyEncipherment
extendedKeyUsage = serverAuth, clientAuth
subjectAltName = @SubjectAlternativeName

[SubjectAlternativeName]
IP.1 = 127.0.0.1
IP.2 = 192.168.199.104

Sign the certificate with the extension file.

openssl x509 -req -days 365 -in 192.168.199.104.csr -signkey 192.168.199.104.key -out 192.168.199.104.crt -extfile http.ext

Configure Nginx to use the new certificate.

nginx -t
nginx -s reload

Copy the generated 192.168.199.104.crt to a Windows machine and import it into Chrome (Settings → Privacy & Security → Manage certificates → Import).

Because Chrome may reject the certificate, delete any previously imported version, then add the extension file (http.ext) to the certificate store so Chrome recognises the IP as a valid subject alternative name.

After re‑importing the updated certificate, reload Nginx and clear Chrome’s cache before accessing the site.

Summary

Chrome requires an additional extension file (http.ext) that defines keyUsage, extendedKeyUsage, and subjectAltName for the internal IP.

Two commands generate the key/CSR and sign the certificate with the extension.

Import the resulting .crt into Chrome’s trusted root store.

Reload Nginx and clear browser cache to complete the setup.