As a developer, operator, and architect, I am always evaluating technological solutions. A fair number of these solutions use TLS, which requires minting new certificates. I recently came across mkcert, which makes it SUPER easy to provision new certificates for development and testing. To get started with mkcert, you will need to run it with the “-install” option:
$ mkcert -install
Created a new local CA at "/home/vagrant/.local/share/mkcert" 💥
The local CA is now installed in the system trust store! ⚡️
The local CA is now installed in the Firefox and/or Chrome/Chromium trust store (requires browser restart)!
This will create a new CA certificate in $HOME/.local/share/mkcert, and update your trust stores so curl, Firefox, etc. won’t complain when they connect to a TLS endpoint that uses a mkcert minted certificate. To actually create a certificate, you can run mkcert with the common name you want assigned to the certificate:
$ mkcert localhost
Using the local CA at "/home/vagrant/.local/share/mkcert" ✨
Created a new certificate valid for the following names 📜
- "localhost"
The certificate is at "./localhost.pem" and the key at "./localhost-key.pem" ✅
That’s it! You now have a RootCA, a private key, and an X.509 certificate to use for testing. It takes seconds to create them, and you can fire up your favorite service with the generated certs:
$ openssl s_server -cert localhost.pem -key localhost-key.pem -www -accept 8443 &
$ curl -D - https://localhost:8443
ACCEPT
HTTP/1.0 200 ok
...
New, TLSv1/SSLv3, Cipher is ECDHE-RSA-AES256-GCM-SHA384
SSL-Session:
Protocol : TLSv1.2
Cipher : ECDHE-RSA-AES256-GCM-SHA384
Session-ID: XXXX
Session-ID-ctx: 01000000
Master-Key: XXXX
Key-Arg : None
Krb5 Principal: None
PSK identity: None
PSK identity hint: None
Start Time: 1593446296
Timeout : 300 (sec)
Verify return code: 0 (ok)
...
The certificate and private key are created in your current working directory, and the RootCA certificate is placed in $HOME/.local/share/mkcert by default. All of these files are PEM encoded, so openssl and company can be used to print their contents. In addition, mkcert will populate the nssdb file in your home directory with the RootCA:
$ ls -la /home/vagrant/.pki/nssdb
total 32
drwxrw----. 2 vagrant vagrant 55 Jun 29 15:45 .
drwxrw----. 3 vagrant vagrant 19 Mar 31 18:20 ..
-rw-------. 1 vagrant vagrant 10240 Jun 29 15:45 cert9.db
-rw-------. 1 vagrant vagrant 13312 Jun 29 15:45 key4.db
-rw-------. 1 vagrant vagrant 436 Jun 29 15:45 pkcs11.txt
$ certutil -L -d sql:/home/vagrant/.pki/nssdb
Certificate Nickname Trust Attributes
SSL,S/MIME,JAR/XPI
mkcert development CA 196291963499902809203365320023044568657 C,,
While I still love OpenSSL and cfssl, this is my new go to for quickly minting certificates for development and testing. Amazing stuff!