Generate own Certificate Authority for testing custom Domains with Salesforce Communities

I had a need to test custom domains with Salesforce Communities and be able to log into those communities. When authenticating to a Salesforce Community an encrypted connection (meaning SSL) is required so I needed an easy and free way to generate certificates for my domains The solution was using openssl for the signing and Firefox for the testing as the latter comes with its own Trust Store. Lately many browsers has become very picky about what root certificates are trusted making this kind of testing harder.

Below are the steps I used:

Generate a private key for the root certificate authority:
openssl genrsa -des3 -out rootCA.key 4096

Selg-sign and create a certificate with the private key:
openssl req -x509 -new -nodes -key rootCA.key -sha256 -days 1024 -out rootCA.crt

Convert the certificate to PEM format for import into the Firefox Trust Store:
openssl x509 -in rootCA.crt -pubkey > rootCA_publickey.pem

Now in Salesforce Setup using “Certificate and Key Management” use “Create CA-Signed Certificate” and fill in the form. Then download the Certificate Signing Request (CSR) to your machine and then sign the CSR:
openssl x509 -req -in my_csr_file.csr -CA rootCA.crt -CAkey rootCA.key -CAcreateserial -out my_csr_file.crt -days 365 -sha256

Back in Salesforce on the key/pair created above use “Upload Signed Certificate” and pick the my_csr_file.crt signed above.

Now the certificate may be mapped to a custom domains (under “Domains”) having Salesforce terminate the SSL connection.