Mkcert: valid HTTPS certificates for localhost
Nowadays, the use of HTTPS becomes mandatory for all sites and web applications. But in the development process there is a problem of correct testing. Naturally, Let's Encrypt and other CAs do not issue certificates for localhost.
Traditionally there are two solutions.
- Self-signed certificates generated via openssl or others. Here is the easiest way to generate a private key and self-signed certificate for localhost:
openssl req -x509 -out localhost.crt -keyout localhost.key \ -newkey rsa:2048 -nodes -sha256 \ -subj '/CN=localhost' -extensions EXT -config <( \ printf"[dn]\nCN=localhost\n[req]\ndistinguished_name = dn\n[EXT]\nsubjectAltName=DNS:localhost\nkeyUsage=digitalSignature\nextendedKeyUsage=serverAuth")
But such a certificate will cause trust errors in browsers, because the corresponding certificate authority is missing in the trust store.
- The trick is to register a new domain like localhost.example.com, which locally resolves to 127.0.0.1 (in / etc / hosts), to get the usual certificate for this domain. But such a fraud is dubious from the point of view of security - at least, for public services, such a resolving is extremely discouraged from doing so is not recommended because of a possible MiTM attack with a change to a hostile IP address. If we confine ourselves only to the local machine, then this may be a suitable option, although some doubts also arise. In addition, such a certificate may be revoked. In any case, there is an easier and safer option (see below).
This is mkcert , a simple utility for generating locally-trusted certificates with its own certificate authority . It works under all operating systems and does not require any configuration.
First you need to install
sudo apt install libnss3-tools -или- sudo yum install nss-tools -или- sudo pacman -S nss
brew install mkcert
or compile from source:
go get -u github.com/FiloSottile/mkcert $(go env GOPATH)/bin/mkcert
brew install mkcert brew install nss # if you use Firefox
Under Windows, you can download collected binaries or use one of the package managers: Chocolatey or Scoop.
choco install mkcert -или- scoop install mkcert
Having a local certification authority is the most important difference between mkcert and openssl and self-signed certificates, because when running such a CA, there are no local errors of trust.
In principle, you can start and configure your own CA using other means, but this requires uncommon knowledge and skills. It does everything by itself, without any additional keys and settings. Just install the program - and it automatically creates a local certification authority and enters it into the trusted system repository and Firefox trusted repository.
$ mkcert -install Created a new local CA at "/Users/filippo/Library/Application Support/mkcert" The local CA is now installed in the system trust store! ️ The local CA is now installed in the Firefox trust store (requires restart)!