SSL Certificate Not Working Localhost

This morning my machine updated and Chrome no longer saw my SSL certificate as valid. it was complaining about a SAN (Subject Alternative Name). Through the following links, it became apparent that Chrome had updated. Using the following links, I was able to come up with the step by step guide to resolving the issue.

  1. Delete the existing key with the following command:

keytool -delete -alias -keyalg RSA -keystore “C:/Program Files/Java/jdk1.8.0_45/jre/lib/security/cacerts”

2. Generate a new key with a SAN (Subject Alternative Name) with the following command:

keytool -genkey -alias -ext -keyalg RSA -keystore “C:/Program Files/Java/jdk1.8.0_45/jre/lib/security/cacerts”

3. Restart the machine

4. Open Chrome, Chrome Settings > Show advanced settings > HTTPS/SSL > Manage Certificates. Delete the existing certificate from the ‘Trusted Root Certification Authorities’ and ‘Trusted Publishers’ tabs respectively. If you are creating your first SSL certificate on your localhost, you can skip this step (step 4)

5. Restart Chrome

6. Navigate to the HTTPS page and press F12 to open dev settings, open the security tab and View Certificate

7. Export the certificate and name it (or whatever your alias is)

8. Open Chrome, Chrome Settings > Show advanced settings > HTTPS/SSL > Manage Certificates. Import the new certificate to the ‘Trusted Root Certification Authorities’ and ‘Trusted Publishers’ tabs respectively.

9. Restart machine

Create SSL Certificate for HTTPS localhost on Tomcat 7 Chrome and Internet Explorer

Getting SSL working with a self signed certificate for local development was poorly documented everywhere I looked. Step by Step guide

1.Create an alias in your hosts file.

To do this you need to know your ip address. Once you do, open


and add the entry with your ip address. EG:

hosts entry

Now, assuming you are running apache tomcat, you should be able to navigate to

and see the same content as localhost:8084

2. Generate an entry in the keystore file for your alias.

The part in bold must match your hosts file entry, eg, my command was (note, I am using the keystore provided with my JDK) (note, to see which of your installed JDk’s Netbeans is using:

C:\Program Files\NetBeans 7.x\etc\netbeans.conf

keytool -genkey -alias -keyalg RSA -keystore “C:\Program Files\Java\jdk1.7.0_71\jre\lib\security\cacerts”

You are asked for you password. The default password is ‘changeit’.

You are now asked to enter your name. enter your name as whatever value your alias is. In my case I entered the name as


  1. ‘keystore’ is not recognsed as an internal or external command. – Make sure the following directory (or your equivalent) is in the PATH environment variable. EG “C:\Program Files (x86)\Java\jre6\bin”
  2. access is denied / file not found exception for cacerts. – This was on Windows 7 and there were access issues. I needed to run command window as an administrator.

3.Configure Apache Tomcat to Allow Https connections

Navigate to server.xml which is located in your tomcat’s conf directory. Find the section “Define a SSL HTTP/1.1 Connector on port 8443” Add the below part to it. Do not uncomment anything, this should be all you need with the italics requiring you to add in your own values. Note: The part in bold is left out of most tutorials I found which caused me delays, hence this blogpost. Note that the default password for the cacerts file which came with the JDK is ‘changeit’

<Connector port=”8443″ protocol=”org.apache.coyote.http11.Http11Protocol” maxThreads=”150″ scheme=”https” secure=”true” SSLEnabled=”true” keystoreFile=”C:/Program Files/Java/jdk1.7.0_71/jre/lib/security/cacerts” keystorePass=”changeit” clientAuth=”false” keyAlias=”” sslProtocol=”TLS”/>

Restart Apache Tomcat. Note, if you are using Netbeans (like I am) you will also have to edit the server.xml in the Catalina base. You can find where catalina base is by clicking on the Tomcat server in Netbeans.

4.Copy the certificate which you have generated

Using Chrome, attempt to navigate to the secure section of your site. For me, it was (Note the HTTPS protocol):

Click on the broken red padlock in the address bar and Click the Certificate Information > Details tab > Copy To file > Export. Save it as the defaut .cer file type. Save it with the same name as you alias. For me this file is named:

5.Create an entry in the trusted certificate publishers directory of your machine

Open a command window and type


Expand the ‘Trusted Publishers’ directory. Using the menu bar, select action >All Tasks >Import, and import the file you created in step 4. Repeat this process in the ‘Trusted Root Certification Authorities’ directory. Restart your machine.

Note, syntax for keytool -delete

 -alias keyAlias
 -keystore keystore-name
 -storepass password

What an enormous pain in the b****x this proved to be.

The Why:

SSL Certificates

Its recommended to use of a certificate from a public Certificate Authority (CA) included in the JDK/JRE list of recognized CAs. However, a self-signed certificate can also be used. Self-signed certificates require the signing CA’s key be installed on any machine that uses the application in question for certificate validation. If the CA key for the self-signed certificate is not installed on a machine where someone is attempting to use the application in question, communication will not be allowed.