Using mkcert to quickly create certificates for testing and development environments

As a developer, operator, and architect, I am always evaluating technological solutions. A fair number of these solutions use TLS, which requires minting new certificates. I recently came across mkcert, which makes it SUPER easy to provision new certificates for development and testing. To get started with mkcert, you will need to run it with the “-install” option:

$ mkcert -install

Created a new local CA at "/home/vagrant/.local/share/mkcert" 💥
The local CA is now installed in the system trust store! ⚡️
The local CA is now installed in the Firefox and/or Chrome/Chromium trust store (requires browser restart)!

This will create a new CA certificate in $HOME/.local/share/mkcert, and update your trust stores so curl, Firefox, etc. won’t complain when they connect to a TLS endpoint that uses a mkcert minted certificate. To actually create a certificate, you can run mkcert with the common name you want assigned to the certificate:

$ mkcert localhost

Using the local CA at "/home/vagrant/.local/share/mkcert" ✨

Created a new certificate valid for the following names 📜
 - "localhost"

The certificate is at "./localhost.pem" and the key at "./localhost-key.pem" ✅

That’s it! You now have a RootCA, a private key, and an X.509 certificate to use for testing. It takes seconds to create them, and you can fire up your favorite service with the generated certs:

$ openssl s_server -cert localhost.pem -key localhost-key.pem -www -accept 8443 &

$ curl -D - https://localhost:8443

HTTP/1.0 200 ok
New, TLSv1/SSLv3, Cipher is ECDHE-RSA-AES256-GCM-SHA384
    Protocol  : TLSv1.2
    Cipher    : ECDHE-RSA-AES256-GCM-SHA384
    Session-ID: XXXX
    Session-ID-ctx: 01000000
    Master-Key: XXXX
    Key-Arg   : None
    Krb5 Principal: None
    PSK identity: None
    PSK identity hint: None
    Start Time: 1593446296
    Timeout   : 300 (sec)
    Verify return code: 0 (ok)

The certificate and private key are created in your current working directory, and the RootCA certificate is placed in $HOME/.local/share/mkcert by default. All of these files are PEM encoded, so openssl and company can be used to print their contents. In addition, mkcert will populate the nssdb file in your home directory with the RootCA:

$ ls -la /home/vagrant/.pki/nssdb

total 32
drwxrw----. 2 vagrant vagrant    55 Jun 29 15:45 .
drwxrw----. 3 vagrant vagrant    19 Mar 31 18:20 ..
-rw-------. 1 vagrant vagrant 10240 Jun 29 15:45 cert9.db
-rw-------. 1 vagrant vagrant 13312 Jun 29 15:45 key4.db
-rw-------. 1 vagrant vagrant   436 Jun 29 15:45 pkcs11.txt

$ certutil -L -d sql:/home/vagrant/.pki/nssdb

Certificate Nickname                                         Trust Attributes

mkcert development CA 196291963499902809203365320023044568657 C,,

While I still love OpenSSL and cfssl, this is my new go to for quickly minting certificates for development and testing. Amazing stuff!

This article was posted by on 2020-06-29 00:00:00 -0500 -0500