Chrome + Mac OSX Catalina + Self-signed Certificates

By: @tommyunger


I just upgraded my Mac to the latest OSX Catalina (10.15.2) release. Wow! A new login screen background. I don't really know what else I get, but sure, thanks Apple. What I didn't want was the new security measures around local/dev websites and the Chrome (version: 79.0.3945.79) web browser. The error that popped up was NET::ERR_CERT_INVALID. And there's a whole bunch of text that basically offers nothing for how to solve this problem. And, there's no override.

NET::ERR_CERT_INVALID error in Google Chrome

Of course, the best option here is to get a real certificate and a real domain. But, if I'm running a dev build or a local web server, I'd rather just put in my own self-signed certificate using openssl. So, let's generate that certificate locally from the command line on my Mac. Also note, you should change the highlighted elements to values that represent your local server(s) and/or IPs.

$ openssl req \ -newkey rsa:2048 \ -x509 \ -sha256 \ -days 365 \ -nodes \ -keyout cert.key \ -new \ -out cert.crt \ -subj /CN=product.eng.qumulo.com \ -reqexts SAN \ -extensions SAN \ -config <(cat /System/Library/OpenSSL/openssl.cnf \ <(printf '[SAN]\nsubjectAltName=DNS.1:product.eng.qumulo.com,IP.1:10.220.246.172'))

That command will generate two files cert.key and cert.crt. You need to install those on your server. It could be as simple as this python approach, but odds are it's specific to your web server. In my case, I'm running a petabyte-scale Qumulo file server that has a simple command line API for adding the certificate and key.

$ qq --host product login -u tommy $ qq --host product ssl_modify_certificate -c cert.crt -k cert.key

But, there's still more to do. Back on the Mac, we need to add the same certificate to the Mac OSX keychain. Open up "Keychain Access" via "Spotlight" which is actually a magnifying glass :-/.

Keychain Access via Spotlight

The UI will look something like what you see below. Is it Keychain Access or certificate management or just security settings? Only Jony Ive knows, but he quit...

Keychain Access, certificates, Mac OSX

Next, press Shift-command-I or use the dropdown menu to "Import Items" the certificate you generated above. Find the cert.crt file generated above and click Open.

Import Itmes (certificate) on Mac OSX

Did I mention you'll need to be an administator of your machine do this? Hopefully you are. If not, head over to I.T. and tell them you're trying to circumvent security settings.

Password prompt on Mac

The certificate is now loaded into the Mac's Keychain. In my case you see "product.eng.qumulo.com"

New dev certificate added to Mac Keychain

Double-click the certificate you just added. That will pop up the window below. In that window, expand the "Trust" section in the upper left.

Individual certificate management for dev server

Change the "When using this certificate" dropdown to "Always Trust" and it will look like this:

Trust this new certificate

And finally, in my case, I headed to the website via my URL and could see the wonder that is the Qumulo dashboard, with the nice little lock button in the address bar.

Petabyte-scale file storage from Qumulo

Tommy Unger's Home Page