Generating valid self signed certificates for localhost development
Recently upgraded your Ruby version and had troubles with your self-signed certs, or looking for some simple instructions on creating valid self signed certificates for localhost development? Here are a few tips to get you up and running again.
These days I seem to spend more of my time writing Ruby, Java and Objective-C apps that connect to the Force.com platform. Very often these apps are webapps using remote access providers created on Force.com. One of the requirements of creating a remote access provider is that you need to specify a callback URL for handling the OAuth "dance". This callback URL must use https for obvious reasons.
I recently had an article published on the Heroku Dev Center describing how to use the Force.com Omniauth adapter for handling OAuth from a Rails apps. One of the steps discussed was the need to generate a self-sgined certificate for allowing your local web server to accept https callbacks. As part of that discussion I pointed to some other web resources which stepped you through how to create these certs. Since the publication I have had a number of people contact me for more information on how to create the certificates, and more recently, many people have found their certificates no longer work after upgrading their Ruby environment.
Long story short, more recent versions of Ruby (those greater than 1.8.7) now enforce some stronger security checks, one of which being the correct verification of the common name of your certificate. Whilst I bumped up against this change in Ruby and Rails, I suspect many other languages and web servers will (or do) require valid cnames as part of your certificates. So, here is a brief list of commands you need to create valid certs for local development. Note: I am using openssl on a Mac, but I suspect the Java keytool works very similar.
1. Generate you server key
$ openssl genrsa -des3 -out server.key 1024
You will be prompted for a password for your key. Enter, confirm and continue.
2. Generate your Certificate Signing Request (CSR)
$ openssl req -new -key server.key -out server.csr
You will be prompted again for your key password. Enter the one you created from step 1 above. You can then accept the defaults for all of the prompts you are presented with except the Common Name. This is key, and what makes the enhanced certificate validation happy. Since we are doing local development your common name will be "localhost".
Common Name (eg, YOUR name) :localhost
3. Generate your Certificate
Lastly we need to create our certificate. Again, use your key password and you will be all set.
$ openssl x509 -req -days 1024 -in server.csr -signkey server.key -out server.crt
That's it. Simply follow the instructions for setting up your web server to support https and you can use the Force.com remote access providers to handle OAuth callbacks.