Since December 2017 it is not possible to use popular .dev and other similar sites locally for development without a little magic. Chrome redirects all of these sites on its own to https and does extra good verification. More information about it in here https://ma.ttias.be/chrome-force-dev-domains-https-via-preloaded-hsts/
Now its a time to change all local dev sites or even better make these sites HTTPS certs valid. I have been missing for long local dev sites with valid certificates. Since I do a lot of API integrations programming and I do not want to add exceptions in development that do not check the certificate. Better is to have local sites similar to production.
At first I was looking at some GUI-s like tinyCA and gnoMint but these did not do exactly what I wanted. Instead I found great tutorial of how to do it on commandline from https://ram.k0a1a.net/self-signed_https_cert_after_chrome_58
In short the process contains 4 parts. a) create CA b) import this ca into browsers and OS c) create config files for generating certificates for server d) generate server certificate. After that it is as simple as installing the certificate to your vhost and all is good.
Part a) create CA
# openssl genrsa -out server_rootCA.key 2048 # openssl req -x509 -new -nodes -key server_rootCA.key -sha256 -days 3650 -out server_rootCA.pem
Keep this CA private key in a secure place!!
Part b) import this ca into browsers and OS
In Ubuntu you can import it to OS with these commands:
# cp server_rootCA.pem /usr/local/share/ca-certificates/ # update-ca-certificates
For browsers look into their settings and under Certificates should be something like Authorities where you see import button. Import the CA certificate authority certificate and all good with this browser.
Part c) Create config files for generating certificates for server
Create 2 files server_rootCA.csr.cnf and v3.cnf. Change eat-that-google.dev to be your desired domain name.
# server_rootCA.csr.cnf [req] default_bits = 2048 prompt = no default_md = sha256 distinguished_name = dn [dn] C=EE ST=Tartu L=Tartu O=Riia OU=local_RootCA emailAddressfirstname.lastname@example.org CN = eat-that-google.dev
# v3.ext authorityKeyIdentifier=keyid,issuer basicConstraints=CA:FALSE keyUsage = digitalSignature, nonRepudiation, keyEncipherment, dataEncipherment subjectAltName = @alt_names [alt_names] DNS.1 = eat-that-google.dev
Part d) generate server certificate
Now generate your server certificates with these commands
# openssl req -new -sha256 -nodes -out server.csr -newkey rsa:2048 -keyout server.key -config <( cat server_rootCA.csr.cnf ) # openssl x509 -req -in server.csr -CA server_rootCA.pem -CAkey server_rootCA.key -CAcreateserial -out server.crt -days 3650 -sha256 -extfile v3.ext
For each new domain change the domain in config files and generate the private key server.key and public key server.crt