Create self-signed multi-domain SSL certificate

Running microservices under HTTPS locally and in development environment with several domain names requires to have self-signed multi-domain SSL certificate. Also, starting from Google Chrome v58 SSL certificates are required to have SAN specified to avoid any SSL warnings. Luckily, there is a PowerShell script to make it quick and easy.

Download the Self-signed certificate generator PowerShell script from Microsoft Technet, and reference in your PowerShell script.

Now it’s enough to configure following properties only:

  • Subject – your main domain. I used “mytestdomain”
  • SAN – your main domain, and any additional domains you would like to have on your certificate. I added “localhost” next to the main one.

And the finished script looks following.

Make sure new-selfsignedcertificateex.ps1 script is in the same folder as GenerateSelfSignedMultiDomainSslCert.ps1, and run the latter in PowerShell as an administrator. The result will be your newly generated certificate’s thumbprint.

Generated self-signed multi-domain SSL certificate

Check your certificate in “Manage computer certificates” application on Windows 10 (or MMC on other Windows versions), however you will notice that the certificate is complaining about Certificate Authority (CA) Root certificate not being trusted.

CA not trusted

This happened since “mytestdomain” issued a certificate for “mytestdomain” i.e. we issued a certificate for ourselves, and our Windows machine doesn’t trust it. We need to make Windows trust this certificate. For this simply copy (right mouse click and select copy) the certificate into “Trusted Root Certification Authorities” certificates. This makes “mytestdomain” a trusted CA, and therefore it’s certificates will be trusted. Now the certificate looks valid.

Trusted certificate

And of course Subject Alternative Name (SAN) has two domains set. Now you can access your website or microservice via Swagger UI in your favourite browser with no SSL warnings.

SAN multi-domains

Using “Self-signed certificate generator” PowerShell script makes it extremely easy to generate a self-signed multi-domain SSL certificate for local development environment or for hosting on development server.

Update 30/01/2019

Following Manoj question in comments on how to automate SSL certificate installation a bit further, I was looking for a way to copy the certificate from Personal store to Trusted Root Certification Authorities store in Powershell. After a quick search I found a script, added some informational messages output for easier testing, and shared in my Gist — see code snippet below.

Save the Powershell file and after you created your SSL certificate, just run the following command as an Administrator.