In my experience, in most cases, validators are picky about self-signed certificates.
In general, when using “fake” certificates, you should always take an extra step and create a fake CA and sign a fake certificate with the CA. If nothing else, this makes your testing more like a real-life scenario.
Here are brief instructions on how to do this with OpenSSL:
- Create a CA (self-signed)
openssl req -x509 -new -out ca.crt -keyout ca.key -days 3650 - Create a server key and csr
openssl req -out server.csr -pubkey -new -keyout server.secure.key - Remove the passphrase
openssl rsa -in server.secure.key -out server.key - Sign the server certificate with CA
openssl x509 -req -in server.csr -CA ca.crt -CAkey ca.key -CAcreateserial -out server.crt -days 1825 - (For subsequent certificates, use the existing
openssl x509 -req -in server.csr -CA ca.crt -CAkey ca.key -CAserial ca.srl -out server.crt -days 1825 serial number openssl x509 -req -in server.csr -CA ca.crt -CAkey ca.key -CAserial ca.srl -out server.crt -days 1825 )
Whenever you encounter problems with any SSL (not just HTTPS), use raw openssl for debugging by doing
openssl s_verify -connect <hostname>:<portnumber> <options>
eg.
openssl s_verify -connect localhost:443 -CAfile myfakeca.pem
This usually saves you from many problems with your valid certificates, which in fact have nothing to do with your code.