How to Generate and Trust Self‑Signed Certificates for Local HTTPS Debugging with OpenSSL
This article explains how to create self‑signed SSL certificates using OpenSSL, add them to browser trust stores, and configure local development servers (fekit/ykit) and Nginx for HTTPS debugging, including handling SubjectAltName issues and detailed command examples.
When joining Qunar, developers often encounter the browser trust issue for local HTTPS debugging, manifested as Failed to load resource: net::ERR_INSECURE_RESPONSE . The problem is widely discussed (e.g., on Zhihu) and stems from browsers no longer trusting outdated self‑signed certificates.
This guide provides a permanent solution by generating a new self‑signed certificate with appropriate parameters, adding it to the browser’s trust store, and configuring local servers to use it.
1. Solution Process
Generate a self‑signed certificate.
Add the certificate to the browser’s trusted list.
Start the local fekit or ykit server with the new certificate.
2.1 OpenSSL Overview
OpenSSL is an open‑source, robust, commercial‑grade toolkit for TLS/SSL and a general‑purpose cryptographic library.
2.2 Generating a Self‑Signed Certificate
The process is simpler than obtaining a CA‑signed certificate because the request and the issuer are the same. The -x509 option tells OpenSSL to produce a self‑signed certificate directly.
2.3 Creating a Simple Single‑Domain Certificate
Because the existing certificate on the Wiki is expired, a fresh one is needed. Execute the following commands:
openssl genrsa -des3 -out testenc.key 2048Remove the password from the generated private key:
openssl rsa -in testenc.key -out test.keyGenerate a ten‑year (3650‑day) self‑signed certificate:
openssl req -new -x509 -days 3650 -key test.key -out test.crtDuring the last command, fill in the requested fields (CN, organization, etc.) as shown:
CN
beijing
beijing
qunar
dujia
*.qunarzz.com
[email protected]2.4 Generating a Certificate with SubjectAltName (SAN)
After Chrome updates, the previous certificate may trigger a missing_subjectAltName error. To fix this, generate a certificate that includes the SAN extension:
openssl genrsa -des3 -out qunarzz-dev-enc.key 2048openssl rsa -in qunarzz-dev-enc.key -out qunarzz-dev.keyThen create the SAN‑enabled certificate:
openssl req -new -sha256 \
-x509 \
-days 10000 \
-key qunarzz-dev.key \
-subj "/C=CN/ST=BeiJing/L=Beijing/O=QUNAR/OU=FE/CN=qunarzz.com" \
-extensions SAN \
-config <(cat ./openssl.cnf \
<(printf "[SAN]\nsubjectAltName=DNS.1:qunarzz.com,DNS.2:q.qunarzz.com,DNS.3:*.qunarzz.com")) \
-out qunarzz-dev.crt2.5 Adding the Certificate to Trust Store
On macOS, open the Keychain Access app, import the generated certificate via File → Import Items, and set its trust setting to “Always Trust”.
2.6 Starting the Server with the Certificate
fekit server -s /path/to/crt
ykit server -s /path/to/crt3. Extended Summary
Both fekit and ykit are used in our projects, often simultaneously for the same page (e.g., the vacation homepage). A more convenient approach is to install a local nginx instance, reverse‑proxy both servers, and configure the generated certificate in nginx , which resolves the HTTPS trust issue for all local debugging.
4. References
OpenSSL and Network Information Security – Fundamentals, Structure, and Commands
OpenSSL Handbook
OpenSSL Programming
OpenSSL Official Website: https://www.openssl.org/
OpenSSL Command Manual: https://www.openssl.org/docs/manmaster/man1/openssl.html
Qunar Tech Salon
Qunar Tech Salon is a learning and exchange platform for Qunar engineers and industry peers. We share cutting-edge technology trends and topics, providing a free platform for mid-to-senior technical professionals to exchange and learn.
How this landed with the community
Was this worth your time?
0 Comments
Thoughtful readers leave field notes, pushback, and hard-won operational detail here.