The documentation at http://httpd.apache.org/docs/2.4/ssl/ssl_faq.html#selfcert suggests users issue the following command: openssl req -new -x509 -nodes -out server.crt -keyout server.key The default configuration of openssl causes this to issue a certificate with the basic constraints extension having a value of "CA:true" (meaning this is a CA certificate that can issue other certificates). This is not appropriate for a server certificate. The following command appears to do the right thing: openssl req -new -x509 -nodes -out server.crt -keyout server.key -extensions usr_cert
It may be worth mentioning how this was found and some history behind it, which can be found in this Mozilla bug: https://bugzilla.mozilla.org/show_bug.cgi?id=990603
Change applied in r1674126. Thanks.