Self-signed Chrome browser certs with Mac OSX Catalina

Chrome + Mac OSX Catalina + Self-signed Certificates

By: @tommyunger

I just upgraded my Mac to the latest OSX Catalina (10.15.2) release. Wow! A new login screen background. I don’t really know what else I get, but sure, thanks Apple. What I didn’t want was the new security measures around local/dev websites and the Chrome (version: 79.0.3945.79) web browser. The error that popped up was NET::ERR_CERT_INVALID. And there’s a whole bunch of text that basically offers nothing for how to solve this problem. And, there’s no override.

Of course, the best option here is to get a real certificate and a real domain. But, if I’m running a dev build or a local web server, I’d rather just put in my own self-signed certificate using openssl. So, let’s generate that certificate locally from the command line on my Mac. Also note, you should change the highlighted elements to values that represent your local server(s) and/or IPs.

$ openssl req \
    -newkey rsa:2048 \
    -x509 \
    -sha256 \
    -days 365 \
    -nodes \
    -keyout cert.key \
    -new \
    -out cert.crt \
    -subj /CN=product.eng.qumulo.com \
    -reqexts SAN \
    -extensions SAN \
    -config <(cat /System/Library/OpenSSL/openssl.cnf \
        <(printf'[SAN]\nsubjectAltName=DNS.1:product.eng.qumulo.com,IP.1:10.220.246.172'))

That command will generate two files cert.key and cert.crt. You need to install those on your server. It could be as simple as this python approach, but odds are it’s specific to your web server. In my case, I’m running a petabyte-scale Qumulo file server that has a simple command line API for adding the certificate and key.

$ qq --host product login -u tommy
$ qq --host product ssl_modify_certificate -c cert.crt -k cert.key

But, there’s still more to do. Back on the Mac, we need to add the same certificate to the Mac OSX keychain. Open up “Keychain Access” via “Spotlight” which is actually a magnifying glass :-/.

The UI will look something like what you see below. Is it Keychain Access or certificate management or just security settings? Only Jony Ive knows, but he quit…

Next, press Shift-command-I or use the dropdown menu to “Import Items” the certificate you generated above. Find the cert.crt file generated above and click Open.

Did I mention you’ll need to be an administator of your machine do this? Hopefully you are. If not, head over to I.T. and tell them you’re trying to circumvent security settings.

The certificate is now loaded into the Mac’s Keychain. In my case you see “product.eng.qumulo.com”

Double-click the certificate you just added. That will pop up the window below. In that window, expand the “Trust” section in the upper left.

Change the “When using this certificate” dropdown to “Always Trust” and it will look like this:

And finally, in my case, I headed to the website via my URL and could see the wonder that is the Qumulo dashboard, with the nice little lock button in the address bar.

Prev The Definitive* History of Top Rap Artists
Next Python class, dict, named tuple performance and memory usage

Leave a comment