After making several tries to generate a self-signed certificate tied to an IP Address on my LAN and continuing to get error messages from Chrome, I starting to wonder if all the prior posts are full of BS or so out of date that Chrome now rejects everything that has been documented to date.

The IIS built in feature fails along with a posting from Microsoft Xpert which reads within PowerShell as follows:

New-SelfSignedCertificate -Subject "hctest.com" -TextExtension @("2.5.29.17={text}DNS=hctest.com&IPAddress=192.168.0.118&IPAddress=::1")

In OpenSSL I have tried several variations including the following:

openssl req -x509 -newkey rsa:4096 -keyout private-key.key -out certificate.pem -days 365 -nodes -subj "/CN=192.168.1.179"
openssl pkcs12 -export -out certificate.pfx -inkey private-key.key -in certificate.pem
openssl pkcs12 -export -out domain.pfx -inkey domain.key -in domain.crt

This generated a cert with X509v3 Subject Alternative Name: IP Address:192.168.1.179 which is described in some write ups to be required.

Then finely, I tried to create a configuration file which describes the SAN information shown below.

openssl req -newkey rsa:2048 -x509 -nodes -keyout domain.key -new -out domain.crt -subj "/CN=192.168.1.179" -reqexts SAN -config <(cat openssl.cnf <(printf '[SAN]\nsubjectAltName=DNS:192.168.1.179'))

*** my openssl.cnf file reads ***
[req]
default_bits = 2048
default_md = sha256
distinguished_name = req_distinguished_name
x509_extensions = v3_req
prompt = no
[req_distinguished_name]
# C = US
# ST = California
# L = Los Angeles
# O = 800MAIN
# OU = IT Operations
CN = 192.168.1.179
[v3_req]
authorityKeyIdentifier=keyid,issuer
basicConstraints=CA:FALSE
keyUsage = digitalSignature, nonRepudiation, keyEncipherment, dataEncipherment
extendedKeyUsage = serverAuth
subjectAltName = @alt_names
nsComment = "OpenSSL Generated Certificate"
[alt_names]
IP.1 = 192.168.1.179
IPv6 localhost
IP.2 = ::1
DNS.1 = localhost
DNS.2 = 127.0.0.1

And then once I have the .key and .crt files, again using OpenSSL I convert them into a .pfx file before importing into IIS.

openssl pkcs12 -export -out domain.pfx -inkey domain.key -in domain.crt

Any suggestions what I'm doing wrong?

A bit of background on why I'm trying to do this... As it turns out to create an audio controller application for the devices I want to communicate with, I need a webserver in the middle to handle socket.io and webSocket communications over TCP or UDP protocols. I am trying to send a live audio stream from the client microphone to the audio device. The server is acting as a bridge, piping the incoming stream out to the audio device. But before I can have a microphone on the client, the page must be hosted in an HTTPS environment (mandatory per: MediaDevices: getUserMedia fuction).

One last thing, the reason behind using IP Address in the certificate, the application server will be running strictly on the LAN ad other computers (and cell phone browsers) besides my development machine (same as server) need to be able to access the app once deployed.

PS: ChatGPT was usless! lol

Never Mind... I fixed or at least found the problem...

On the last attempt where I use the configuration file and call out the Alt_Name with an IP Address, after generating the PFX file and loading into IIS, I forgot that with socket.io makes the request to open the connection to the WebSocket on the server, the server needed to send back the the .pem and .key files in the response. This was required for CORS to work since the client application is running on port 443 and socketIo is communicating over port 3020.

I don't even know if I fully understand what is going on, and the ability to send an audio stream is still yet to come but it was a big step to get the browser to not fail loading the page because the site was not secure which was required for the microphone to work.

Almost but no cigar... 😦

After having a good nights sleep, I learned today that other computers on the sam LAN still get the Chrome error message which reads:

NET::ERR_CERT_AUTHORITY_INVALID

Not sure anymore if creating a Self-Signed Certificate for local use is possible?

Any suggestions would be welcome.

A self-signed certificate is never safe to be used across the network - unless you register the certificate in the target machine so the entire certificate chain is registered.

Is your machine on the open internet? If so the better solution is to install a free LetsEncrypt certificate.

Even if it's not you can use either router tunnelling or one of the tools like ngrok or whatever Microsoft has these days (tunnelling something) to create a mapped IP address that can be publicly referenced and then you can register a LE certificate. As long as the machine is visible to the the LE verification process you can get the certificate. Once installed you can actually take off the online link - until auto-renewal.

When I need to do this I usually do this:

• Note my public IP address
• Open up my router for port 443 and 80
• Map my local IP address to a domain name (test.west-wind.com) in my DNS
• Wait make sure you can get there over an open connection
• Run Lets Encrypt and set up a certificate for that domain
• Once successful remove the router opening (if you don't think you need it)

The certificate is good for any port so I typically use a non-80/443 port for my dev projects and open a hole in my router for that port rather then 80/443 if I need open IP access as it's less likely a random port will be targeted by bots.

+++ Rick ---

Your solution sounds like a good idea but when I tried to create a Let's Encrypt certificate, I got an error message that they will not issue to IP 192.168.x.x.

If I follow your instructions as I understand them, so long as the cert is issues to my router ip address, I should be ok. But once I remove the tunnel, will the cert still work on other machines on the LAN?

CORS is a bitch, and adding socketIo to the mix only makes everything much worst.

That's because it's not a public IP and you have to use a domain name. That IP Address is the local IP Address from you DHCP server - most likely from the router.

You need to provide your public IP address which is your ISP assigned IP address. Type 'My IP Address' into a search engine and it will show you your external IP Address - that's what you need to bind your DNS entry to. You can then use the IIS bindings (if you're using IIS) to route your host header to the site you want to use.

If you're using a Node server or some other tool like Dotnet you probably need to use a custom port as you can't easily route host headers...

+++ Rick ---