As a developer, operator, and architect, I am always evaluating technological solutions. A fair number of these solutions use TLS, which requires minting new certificates. I recently came across mkcert, which makes it SUPER easy to provision new certificates for development and testing. To get started with mkcert, you will need to run it with the “-install” option:
Created a new local CA at "/home/vagrant/.local/share/mkcert" 💥 The local CA is now installed in the system trust store! ⚡️ The local CA is now installed in the Firefox and/or Chrome/Chromium trust store (requires browser restart)!
This will create a new CA certificate in $HOME/.local/share/mkcert, and update your trust stores so curl, Firefox, etc. won’t complain when they connect to a TLS endpoint that uses a mkcert minted certificate. To actually create a certificate, you can run mkcert with the common name you want assigned to the certificate:
Using the local CA at "/home/vagrant/.local/share/mkcert" ✨ Created a new certificate valid for the following names 📜 - "localhost" The certificate is at "./localhost.pem" and the key at "./localhost-key.pem" ✅
That’s it! You now have a RootCA, a private key, and an X.509 certificate to use for testing. It takes seconds to create them, and you can fire up your favorite service with the generated certs:
openssl s_server -cert localhost.pem -key localhost-key.pem -www -accept 8443 &
curl -D - https://localhost:8443
ACCEPT HTTP/1.0 200 ok ... New, TLSv1/SSLv3, Cipher is ECDHE-RSA-AES256-GCM-SHA384 SSL-Session: Protocol : TLSv1.2 Cipher : ECDHE-RSA-AES256-GCM-SHA384 Session-ID: XXXX Session-ID-ctx: 01000000 Master-Key: XXXX Key-Arg : None Krb5 Principal: None PSK identity: None PSK identity hint: None Start Time: 1593446296 Timeout : 300 (sec) Verify return code: 0 (ok) ...
The certificate and private key are created in your current working directory, and the RootCA certificate is placed in $HOME/.local/share/mkcert by default. All of these files are PEM encoded, so openssl and company can be used to print their contents. In addition, mkcert will populate the nssdb file in your home directory with the RootCA:
ls -la /home/vagrant/.pki/nssdb
total 32 drwxrw----. 2 vagrant vagrant 55 Jun 29 15:45 . drwxrw----. 3 vagrant vagrant 19 Mar 31 18:20 .. -rw-------. 1 vagrant vagrant 10240 Jun 29 15:45 cert9.db -rw-------. 1 vagrant vagrant 13312 Jun 29 15:45 key4.db -rw-------. 1 vagrant vagrant 436 Jun 29 15:45 pkcs11.txt
certutil -L -d sql:/home/vagrant/.pki/nssdb
Certificate Nickname Trust Attributes SSL,S/MIME,JAR/XPI mkcert development CA 196291963499902809203365320023044568657 C,,
While I still love OpenSSL and cfssl, this is my new go to for quickly minting certificates for development and testing. Amazing stuff!