Reputation: 5826
Adding self-signed certificate as trusted in macOS doesn't work properly
I'm trying to create a simple Makefile command in order to install self-signed certificate for local development of an Angular app.
When I do this manually (by double-clicking on the certificate file, then opening a detail of it and setting everything to Always Trust) it works perfectly. On the other hand, the following command should do the same without any manual action, and as a matter of fact, it does (at least I couldn't find any difference in certificate details).
security add-trusted-cert -d -r trustRoot -k "/Users/${USER}/Library/Keychains/login.keychain" certificates/local.angular.domain.crt
I also tried it with a sudo command (the only difference when using sudo is that it doesn't open the native popup for password, which I prefer as the user can authenticate using a fingerprint).
Here's my whole Makefile command
install-certificate:
# generate certificate
git clone https://github.com/RubenVermeulen/generate-trusted-ssl-certificate.git
cd generate-trusted-ssl-certificate && \
sed -i.backup 's/CN.*/CN = local\.angular\.domain/g' ./openssl-custom.cnf && \
sed -i.backup 's/DNS\.1.*/DNS\.1 = \*\.local\.angular\.domain/g' ./openssl-custom.cnf && \
sed -i.backup 's/DNS\.2.*/DNS\.2 = local\.angular\.domain/g' ./openssl-custom.cnf && \
bash generate.sh
mkdir -p certificates
mv generate-trusted-ssl-certificate/server.key certificates/local.angular.domain.key
mv generate-trusted-ssl-certificate/server.crt certificates/local.angular.domain.crt
rm -rf generate-trusted-ssl-certificate
# add certificate as trusted
security add-trusted-cert -d -r trustRoot -k "/Users/${USER}/Library/Keychains/login.keychain" certificates/local.angular.domain.crt
grep -qxF '127.0.0.1 local.angular.domain' /etc/hosts || sudo -- sh -c "echo '127.0.0.1 local.angular.domain' >> /etc/hosts"
# clear DNS cache
sudo dscacheutil -flushcache
sudo killall -HUP mDNSResponder
This should be relatively easy to replicate as it generates the certificate itself and cleans up afterwards. Might be worth mentioning that the angular app runs on port 4200 (https://local.angular.domain:4200) which works smoothly when certificate is added manually. When added by the above command it shows the NET::ERR_CERT_AUTHORITY_INVALID. When I opened both certificates' details in chrome - they are the same. Thank you for any advice.
Upvotes: 4
Views: 1486
Answers (1)
Reputation: 2814
The web server needs the certificate as well as the associated private key.
But it looks like the command security add-trusted-cert does not import the private key (the .key file). You should consider using security import.
Upvotes: 1
Related Questions
- Node.js self signed certificate is still showing as "not trusted" in my browser
- Trust self-signed certificate CentOS 7
- Self Signed Certificate
- Set imported certificate to always be trusted in Mac OS X
- How to fix "TrustAnchor is not a CA certificate" for self-signed certificates? (Java)
- Self-signed SSL certificate (added to Keychain and marked Trusted) is displayed Invalid in Chrome
- Unable To Trust Self-Signed SSL Certificate
- Unable to get Java to trust my self-signed certificate
- android self-signed certificate wont work
- Why 1 of 8 self signed certificates does not work?