Mkcert: valid HTTPS certificates for localhost

    Nowadays, the use of HTTPS becomes mandatory for all sites and web applications. But in the development process there is a problem of correct testing. Naturally, Let's Encrypt and other CAs do not issue certificates for localhost.

    Traditionally there are two solutions.

    1. Self-signed certificates generated via openssl or others. Here is the easiest way to generate a private key and self-signed certificate for localhost:

      openssl req -x509 -out localhost.crt -keyout localhost.key \
        -newkey rsa:2048 -nodes -sha256 \
        -subj '/CN=localhost' -extensions EXT -config <( \
         printf"[dn]\nCN=localhost\n[req]\ndistinguished_name = dn\n[EXT]\nsubjectAltName=DNS:localhost\nkeyUsage=digitalSignature\nextendedKeyUsage=serverAuth")

      But such a certificate will cause trust errors in browsers, because the corresponding certificate authority is missing in the trust store.
    2. The trick is to register a new domain like, which locally resolves to (in / etc / hosts), to get the usual certificate for this domain. But such a fraud is dubious from the point of view of security - at least, for public services, such a resolving is extremely discouraged from doing so is not recommended because of a possible MiTM attack with a change to a hostile IP address. If we confine ourselves only to the local machine, then this may be a suitable option, although some doubts also arise. In addition, such a certificate may be revoked. In any case, there is an easier and safer option (see below).

    This is mkcert , a simple utility for generating locally-trusted certificates with its own certificate authority . It works under all operating systems and does not require any configuration.

    Linux version

    First you need to install certutil.

    sudo apt install libnss3-tools
    sudo yum install nss-tools
    sudo pacman -S nss


    brew install mkcert

    or compile from source:

    go get -u
    $(go env GOPATH)/bin/mkcert

    MacOS version

    brew install mkcert
    brew install nss # if you use Firefox

    Windows version

    Under Windows, you can download collected binaries or use one of the package managers: Chocolatey or Scoop.

    choco install mkcert
    scoop install mkcert

    Having a local certification authority is the most important difference between mkcert and openssl and self-signed certificates, because when running such a CA, there are no local errors of trust.

    In principle, you can start and configure your own CA using other means, but this requires uncommon knowledge and skills. It does everything by itself, without any additional keys and settings. Just install the program - and it automatically creates a local certification authority and enters it into the trusted system repository and Firefox trusted repository.

    $ mkcert -install
    Created a new local CA at "/Users/filippo/Library/Application Support/mkcert" 
    The local CA is now installed in the system trust store! ️
    The local CA is now installed in the Firefox trust store (requires restart)!

    Also popular now: