Https These days I seem to spend more of my time writing Ruby, Java and  Objective-C apps that connect to the Force.com platform. Very often these apps are webapps using remote access providers created on Force.com. One of the requirements of creating a remote access provider is that you need to specify a callback URL for handling the OAuth "dance". This callback URL must use https for obvious reasons.

I recently had an article published on the Heroku Dev Center describing how to use the Force.com Omniauth adapter for handling OAuth from a Rails apps. One of the steps discussed was the need to generate a self-sgined certificate for allowing your local web server to accept https callbacks. As part of that discussion I pointed to some other web resources which stepped you through how to create these certs. Since the publication I have had a number of people contact me for more information on how to create the certificates, and more recently, many people have found their certificates no longer work after upgrading their Ruby environment.

Long story short, more recent versions of Ruby (those greater than 1.8.7) now enforce some stronger security checks, one of which being the correct verification of the common name of your certificate. Whilst I bumped up against this change in Ruby and Rails, I suspect many other languages and web servers will (or do) require valid cnames as part of your certificates. So, here is a brief list of commands you need to create valid certs for local development. Note: I am using openssl on a Mac, but I suspect the Java keytool works very similar.

1. Generate you server key

$ openssl genrsa -des3 -out server.key 1024

You will be prompted for a password for your key. Enter, confirm and continue.

 

2. Generate your Certificate Signing Request (CSR)

$ openssl req -new -key server.key -out server.csr

You will be prompted again for your key password. Enter the one you created from step 1 above. You can then accept the defaults for all of the prompts you are presented with except the Common Name. This is key, and what makes the enhanced certificate validation happy. Since we are doing local development your common name will be "localhost". 

Common Name (eg, YOUR name) []:localhost

 

3. Generate your Certificate

Lastly we need to create our certificate. Again, use your key password and you will be all set.

$ openssl x509 -req -days 1024 -in server.csr -signkey server.key -out server.crt

 

That's it. Simply follow the instructions for setting up your web server to support https and you can use the Force.com remote access providers to handle OAuth callbacks.

 

tagged , , , , , , , , , , Bookmark the permalink. Trackbacks are closed, but you can post a comment.
  • dave

    So why would the CN be [ ]:localhost and not my-macbook-pro.local ? Thanks

  • http://profiles.google.com/gcristian Cristian Ariel

    I’ve used for nginx, and when applied, nginx throws error:

    [emerg] 1208#0: SSL_CTX_use_PrivateKey_file(“server.key”) failed (SSL: error:0906406D:PEM routines:PEM_def_callback:problems getting password error:0906A068:PEM routines:PEM_do_header:bad password read error:140B0009:SSL routines:SSL_CTX_use_PrivateKey_file:PEM lib)

    any suggestion ?
    thanks !

    • Jannon Frank

      If you have a passphrase on your key, that might cause this error.