Hi everyone,

Small question about the installation of this tool in a Docker project, I try to install it in a nginx:alpine image, the problem is, once go is installed, here's the error that appears:

# go get -u github.com/FiloSottile/mkcert
# github.com/FiloSottile/mkcert
root/go/src/github.com/FiloSottile/mkcert/cert.go:87:19: undefined: x509.MarshalPKCS8PrivateKey
root/go/src/github.com/FiloSottile/mkcert/cert.go:198:18: undefined: x509.MarshalPKCS8PrivateKey
root/go/src/github.com/FiloSottile/mkcert/go110min.go:8:9: undefined: ThisProjectRequiresGo1·10OrHigher
root/go/src/github.com/FiloSottile/mkcert/go110min.go:8:31: invalid identifier character U+00B7 '·'
root/go/src/github.com/FiloSottile/mkcert/main.go:53:52: flag.CommandLine.Output undefined (type *flag.FlagSet has no field or method Output, but does have flag.output)

I've tried to install it several time (after installing additionals tools) but nothing works, the error stay the same, does anyone has already solved the problem ? 🤔

Thanks for the help 😃

After following all steps in the README for macOS and generating certificates for localhost+7 in ~/Sites/_certificates/, I wonder if there’s some special configuration settings for macOS’ built in Apache (with vhosts).

Would be happy if anyone using mkcert on macOS could share their experiences on how to get mkcert up and running.

This works flawlessly with Chrome, Safari, & Opera - so thank you for that.

Firefox doesn't seem to trust the issuer - I can add an exception to Firefox as a workaround (which I've done in the past for local cert authorities)

test.vm uses an invalid security certificate. 
The certificate is not trusted because the issuer certificate is unknown. 
The server might not be sending the appropriate intermediate certificates. 
An additional root certificate may need to be imported. 
Error code: SEC_ERROR_UNKNOWN_ISSUER


Peer’s Certificate issuer is not recognized. 
HTTP Strict Transport Security: false 
HTTP Public Key Pinning: false 

would be happy to supply more details if needed,

rootCA is installed on my host machine (OSX) and is in a NFS mounted folder shared with a vagrant Centos7/Apache 2.4.6 box

This is not usable as a library dependency for others via go get. Can keep the CLI iface the same, just pull the code into a package and expose things with reasonable names. Everything that can be done via the CLI should be doable programmatically (of course, the CLI code just invokes the lib code). I'd send a PR to do this myself, but I figure such a large refactor (as in size, not effort) should be done by the maintainer.

(also, during the refactoring, fix things like exposed internal variables, use of bool returns instead of error, etc)

ERROR

when i attempt to install mkcert, i get the following error:

➜ mkcert -install
Using the local CA at "/Users/daniel/Library/Application Support/mkcert" ✨
Password:
The local CA is now installed in the system trust store! ⚡️
ERROR: failed to execute "certutil -A": exit status 255

certutil: function failed: SEC_ERROR_BAD_DATABASE: security library: bad database.

when i google the issue, it says i need to initialize the nss database. i did this, however, and still get the same error above.

➜ ls -la ~/.pki/nssdb/
total 136
drwx------  5 daniel  staff    160 Oct 25 22:45 .
drwxr-xr-x  3 daniel  staff     96 Oct 25 22:44 ..
-rw-------  1 daniel  staff  28672 Oct 25 22:45 cert9.db
-rw-------  1 daniel  staff  36864 Oct 25 22:45 key4.db
-rw-------  1 daniel  staff    431 Oct 25 22:45 pkcs11.txt

I am getting the below error while issuing mkcert -install

Using the local CA at "/Users/spadmanabhan/Library/Application Support/mkcert" ✨
ERROR: failed to execute "security add-trusted-cert": exit status 1

SecTrustSettingsSetTrustSettings: errSecInternalComponent

This is low priority, but it would be cleaner to use cgo like in root_cgo_darwin.go in crypto/x509.

We will probably have to keep the current code as a nocgo fallback though.

Since NSS 3.35 sql is the default DB. So this breaks depending on the NSS version you use.

I have setup mkcert, and in apache config successfully created two sites: hostname.local and somename.test. These two work, but then I also tried to setup a wildcard *.test system where other folders in the ~/Sites are "converted" to .test domains:

<VirtualHost *:443>
  ServerName test
  ServerAlias *.test

  VirtualDocumentRoot "/Users/David/Sites/%-2+"

  SSLEngine on
  SSLCertificateFile "/Users/David/ssl/_wildcard.test.pem"
  SSLCertificateKeyFile "/Users/David/ssl/_wildcard.test-key.pem"
</VirtualHost>

This system in Apache works, but the certificate doesn't work:

FWIW, in Chrome the error is NET::ERR_CERT_COMMON_NAME_INVALID.

I tried running mkcert version 1.1.0 in windows. I got the following error.

$ mkcert-v1.1.0-windows-amd64.exe example.org
Using the local CA at "C:\Users\XXXXX\AppData\Local\mkcert"
ERROR: failed to execute "keytool -list": exec: "": executable file not found in %PATH%

Since name-constrained certs don't work everywhere, leaving the signing key lying around still exposes you to risk of having all of your secure traffic intercepted.

My first thought was that it would be nice to be able to keep the key on a Yubikey, but putting it in the macOS keychain under password/Touch ID protection (or something similar like GNOME keyring) would also be a reasonable intermediate option.

Do you think that would fit in the scope of this project, or should it perhaps be something separate?
(Is there already a PKCS#11 abstraction in Golang that would support this functionality?)

After running command make on Ubuntu 14.04 and go1.2.1 linux/amd64 I get:

mkdir -p ".GOPATH/src/github.com/FiloSottile/mkcert"
rmdir ".GOPATH/src/github.com/FiloSottile/mkcert"
ln -s ../../../.. ".GOPATH/src/github.com/FiloSottile/mkcert"
mkdir -p bin
ln -s ../bin .GOPATH/bin
touch .GOPATH/.ok
GOPATH="/tmp/mkcert/.GOPATH" go install -v github.com/FiloSottile/mkcert
github.com/FiloSottile/mkcert
# github.com/FiloSottile/mkcert
.GOPATH/src/github.com/FiloSottile/mkcert/main.go:160: undefined: x509.MarshalPKCS8PrivateKey
.GOPATH/src/github.com/FiloSottile/mkcert/main.go:233: undefined: x509.MarshalPKCS8PrivateKey
make: *** [covfefe] Error 2

basically looking to generate a key with the header

-----BEGIN RSA PRIVATE KEY-----

Something that is similar to what is generated by this: https://github.com/SergioBenitez/Rocket/blob/master/examples/tls/private/gen_cert.sh

Thank you for this work!

Node uses its own list of accepted CAs, not the system store, thus certificates generated by mkcert are rejected by Node requests.

That said, as of Node v7.3.0, Node implements a NODE_EXTRA_CA_CERTS environment variable that can be used to specify extra rootCAs to trust. So it sounds like this could be remedied by setting this environment variable to the rootCA path during -install.

it's great tool :) it's friendly for Golang developer. Did you have any plan to generate PKCS12 for Java developer, and they will execute command to convert pem to PKCS12. command as following:

openssl pkcs12 -export -in example.com.pem -inkey example.com-key.pem -out example.com.p12 -name mkcert -CAfile rootCA-key.pem -caname root

Mby it's worth to give users who have a firefox master password a hint that they should enter this when they see "Enter Password or Pin for "NSS Certificate DB""

I’m running Ubuntu via vagrant on a Mac. Do I install and run this on the host or guest OS?

Ability to customise the names of output key and cert files would be a great usability feature

I suggest flags like

• --o-key-file
• --o-cert-file

So

mkcert example.com '*.example.org' myapp.dev localhost 127.0.0.1 ::1  --o-key-file my-cert.pem  --o-cert-file my-key.pem

would generate my-cert.pem and my-key.pem instead of the random looking ./example.com+5.pem ./example.com+5-key.pem

I cloned the repo at commit 073ee25.

When executing make, I get the following error:

GOPATH="/root/git/mkcert/.GOPATH" go install -v github.com/FiloSottile/mkcert
github.com/FiloSottile/mkcert
# github.com/FiloSottile/mkcert
.GOPATH/src/github.com/FiloSottile/mkcert/cert.go:67: undefined: x509.MarshalPKCS8PrivateKey
.GOPATH/src/github.com/FiloSottile/mkcert/cert.go:141: undefined: x509.MarshalPKCS8PrivateKey
Makefile:5: recipe for target 'mkcert' failed
make: *** [mkcert] Error 2

Am I missing some step for the installation?

I follow the document steps.
The first step: mkcert -install

Created a new local CA at "/Users/**/Library/Application Support/mkcert" 💥
Password: ******

But it's wrong.
Error INFO:
ERROR: failed to execute "certutil -A": exit status 255
certutil: function failed: SEC_ERROR_LEGACY_DATABASE: The certificate/key database is in an old, unsupported format.

I don't know what to do
Ask for help, please!

Currently the following will use UserAndHostname for certificate subject and Issuer OrganizationalUnit:

It would be nice to be able to specify a different OrganizationalUnit, maybe with -org-unit=

I know it's mentioned in the README that this support is coming soon, but I'd like to correlate it to an issue that can be tracked. :)

Hello FiloSottile,

I'm trying to install mkcert on Ubuntu 18.04. I have already installed libnss3-tools and downloaded the mkcert tarball

apt install libnss3-tools

wget https://github.com/FiloSottile/mkcert/archive/v1.0.0.tar.gz

I'm not sure how to proceed from there. Kindly assist me. Thank you.

mkcert.exe -install with set JAVA_HOME fails with following error:

ERROR: failed to execute "keytool -importcert": exec: "sudo": executable file not found in %PATH%

I understand wanting to keep mkcert development CA in the name so no shenanigans like Some Big Name Legit Authority CA but it would be useful to add a comment similar to the process of setting up a GPG key. It asks for your Name, Email, and an Optional comment. In GPG world it's so you could have John Doe (Work Correspondence Only) <[email protected]>.

For here it would be to differentiate my mkcert development CA from someone else's mkcert development CA. Yes, the serial numbers will be different but at glance see a certificate was issued by (don't think you can have parenthesis in a subject name) mkcert development CA - vrillusions dev work or similar would be useful.

User experience could be something similar to GPG process where the mkcert development CA is hardcoded then prompt for an optional comment.

Certificate generated is not working with IE 11 & Edge, giving this error (error code: DLG_FLAGS_INVALID_CA)

Hi there,

sounds like an awesome tool.
I fiddled around with CA and local certs one or two weeks ago and kind of got it working but it was a lot of work to do - you tool seems to be so much easier.

But what I didn't manage was to get the cert accepted on my Android device so I can do local testing there.
(Website on my computer, open to be seen from the network through IP address but via HTTPS -> needs to have an accepted cert).
As far as I got this right, I could put the CA on my Android device and that should work. But how?

Do you have ideas for that?

Hi!

First of all: big thanks, super awesome project which is really helpful for local development environments!

This is my first time using this and I use MacPorts as my preferred package manager on my macOS 10.13.6 machine. (I do have Homebrew installed, but only for a few packages which aren't available with MacPorts)

So as the installation instructions mention, I've installed mkcert and nss using Macports

But mkcert can't seem to find the certutil util:

$ mkcert -install
Using the local CA at "/Users/me/Library/Application Support/mkcert" ✨
Warning: "certutil" is not available, so the CA can't be automatically installed in Firefox! ⚠️
Install "certutil" with "brew install nss" and re-run "mkcert -install" 👈

Even though certutil is installed and is in my $PATH:

$ command -v certutil
/opt/local/bin/certutil

$ which certutil
/opt/local/bin/certutil

I think this is because it's assumed that Homebrew is used to install nss on macOS: https://github.com/FiloSottile/mkcert/blob/e5f9c16/truststore_nss.go#L31

Would there be a possibility to change the logic to use whatever certutil command is available on the $PATH before trying to find it in hardcoded locations?

Thanks!

The SystemTrustFilename should depend on the caUniqueName.

Hi, totally newbie question here. I'm not a web developer and this is the first time I configure self-signed certificates, so bear with me. Also I'd like to propose adding a section in the documentation for people in my situation.

This is what I'm currently doing, step by step command-line style. Server is an Amazon AWS machine with Ubuntu 16.04, in which I'm doing some WebRTC tests; Chrome and Firefox will refuse to allow webcam and microphone access to insecure sites (except for localhost), so I need to serve an HTTPS page from my test server:

# [On DEV] Set up 'mkcert'
curl -o mkcert -L 'https://github.com/FiloSottile/mkcert/releases/download/v1.1.0/mkcert-v1.1.0-linux-amd64'
chmod +x mkcert

# [On DEV] Create a CA used for signing certificates, copy it to CLIENTs
sudo apt-get install -y libnss3-tools
./mkcert -install
scp "$(./mkcert -CAROOT)/rootCA.pem" user@${LINUX_CLIENT}:
scp "$(./mkcert -CAROOT)/rootCA.pem" user@${MAC_CLIENT}:

# [On DEV] Create certificate for needed domains, copy it to SERVER
./mkcert '*.compute.amazonaws.com' localhost 127.0.0.1
scp ./_wildcard.compute.amazonaws.com+2.pem     user@${SERVER}:cert.pem
scp ./_wildcard.compute.amazonaws.com+2-key.pem user@${SERVER}:key.pem

# [On SERVER] Start HTTPS server using Node.js
curl -sL https://deb.nodesource.com/setup_8.x | sudo -E bash -
sudo apt-get install -y nodejs
sudo npm install -g http-server
http-server -p 8080 --ssl --cert ~/cert.pem --key ~/key.pem ~/web

# [On LINUX_CLIENT] Set up 'mkcert', install CA
curl -o mkcert -L 'https://github.com/FiloSottile/mkcert/releases/download/v1.1.0/mkcert-v1.1.0-linux-amd64'
chmod +x mkcert
sudo apt-get install -y libnss3-tools
CAROOT="$PWD" ./mkcert -install

# [On MAC_CLIENT] Set up 'mkcert', install CA
curl -o mkcert -L 'https://github.com/FiloSottile/mkcert/releases/download/v1.1.0/mkcert-v1.1.0-darwin-amd64'
chmod +x mkcertm
brew install nss
CAROOT="$PWD" ./mkcert -install

At this point, I open this URL in Chrome:
https://ec2-11-22-33-44.region.compute.amazonaws.com:8080/

But it still shows a warning page right before loading, and after dismissing the warning, a RED warning with "Not secure" text is shown in the address bar.

What I expected is that Chrome loads the page without any security warnings and with a GREEN lock in the address bar.

What steps I'm missing to make this work as intended?

I wanted to do this because the name that AWS gives your machine depends on the region of that particular machine and it also changes every time the machine starts up, so the best would be to have a certificate that doesn't mind what is the actual name of the subdomain, and be able to use the generated cert in several machines.

---- UPDATE ----

The reason for this problem is that a restriction exists in how the wildcard certificates work by spec, not anything to do specifically with mkcert. It turns out that a wildcard such *.example.com won't match sub-subdomains such as a.b.example.com.

Solution is to use wildcards for only one subdomain level:

# [On DEV] Create certificate for needed domains, copy it to SERVER
./mkcert '*.region.compute.amazonaws.com' localhost 127.0.0.1
scp ./_wildcard.region.compute.amazonaws.com+2.pem     user@${SERVER}:cert.pem
scp ./_wildcard.region.compute.amazonaws.com+2-key.pem user@${SERVER}:key.pem

Currently have a local app running on localhost. (running OSX)

Created certificates with

mkcert -install
mkcert localhost

and also did brew install nss and reran install to fix firefox.

On node, this works fine like so, and I'm able to load https://localhost:

const privateKey = fs.readFileSync('./certs/localhost-key.pem', 'utf8');
const certificate = fs.readFileSync('./certs/localhost.pem', 'utf8');
const credentials = { key: privateKey, cert: certificate };
const app = express();
const httpsServer = https.createServer(credentials, app);

However, I have a separate python script that I want to be able to access my local server.

This works fine and I'm able to see the proper JSON response:

def getUrlsToScrape():
  r = requests.get('https://localhost:1979/companies/urls', verify=False)
  return r.json()

However, I'd like to remove my warning so I tried referencing my cert and key files like below:

def getUrlsToScrape():
  r = requests.get('https://localhost:1979/companies/urls', cert=(os.path.join(dirname, '../../certs/localhost.pem'), os.path.join(dirname, '../../certs/localhost-key.pem')))
  return r.json()

but unfortunately I get the following error:

Traceback (most recent call last):
  File "/usr/local/lib/python3.6/site-packages/urllib3/contrib/pyopenssl.py", line 441, in wrap_socket
    cnx.do_handshake()
  File "/usr/local/lib/python3.6/site-packages/OpenSSL/SSL.py", line 1907, in do_handshake
    self._raise_ssl_error(self._ssl, result)
  File "/usr/local/lib/python3.6/site-packages/OpenSSL/SSL.py", line 1639, in _raise_ssl_error
    _raise_current_error()
  File "/usr/local/lib/python3.6/site-packages/OpenSSL/_util.py", line 54, in exception_from_error_queue
    raise exception_type(errors)
OpenSSL.SSL.Error: [('SSL routines', 'tls_process_server_certificate', 'certificate verify failed')]

During handling of the above exception, another exception occurred:

Traceback (most recent call last):
  File "/usr/local/lib/python3.6/site-packages/urllib3/connectionpool.py", line 601, in urlopen
    chunked=chunked)
  File "/usr/local/lib/python3.6/site-packages/urllib3/connectionpool.py", line 346, in _make_request
    self._validate_conn(conn)
  File "/usr/local/lib/python3.6/site-packages/urllib3/connectionpool.py", line 850, in _validate_conn
    conn.connect()
  File "/usr/local/lib/python3.6/site-packages/urllib3/connection.py", line 326, in connect
    ssl_context=context)
  File "/usr/local/lib/python3.6/site-packages/urllib3/util/ssl_.py", line 329, in ssl_wrap_socket
    return context.wrap_socket(sock, server_hostname=server_hostname)
  File "/usr/local/lib/python3.6/site-packages/urllib3/contrib/pyopenssl.py", line 448, in wrap_socket
    raise ssl.SSLError('bad handshake: %r' % e)
ssl.SSLError: ("bad handshake: Error([('SSL routines', 'tls_process_server_certificate', 'certificate verify failed')],)",)

During handling of the above exception, another exception occurred:

Traceback (most recent call last):
  File "/usr/local/lib/python3.6/site-packages/requests/adapters.py", line 440, in send
    timeout=timeout
  File "/usr/local/lib/python3.6/site-packages/urllib3/connectionpool.py", line 639, in urlopen
    _stacktrace=sys.exc_info()[2])
  File "/usr/local/lib/python3.6/site-packages/urllib3/util/retry.py", line 388, in increment
    raise MaxRetryError(_pool, url, error or ResponseError(cause))
urllib3.exceptions.MaxRetryError: HTTPSConnectionPool(host='localhost', port=1979): Max retries exceeded with url: /companies/urls (Caused by SSLError(SSLError("bad handshake: Error([('SSL routines', 'tls_process_server_certificate', 'certificate verify
failed')],)",),))

During handling of the above exception, another exception occurred:

Traceback (most recent call last):
  File "src/scripts/li_scrape.py", line 56, in <module>
    urlsToScrape = getUrlsToScrape()
  File "src/scripts/li_scrape.py", line 28, in getUrlsToScrape
    os.path.join(dirname, '../../certs/localhost-key.pem')))
  File "/usr/local/lib/python3.6/site-packages/requests/api.py", line 72, in get
    return request('get', url, params=params, **kwargs)
  File "/usr/local/lib/python3.6/site-packages/requests/api.py", line 58, in request
    return session.request(method=method, url=url, **kwargs)
  File "/usr/local/lib/python3.6/site-packages/requests/sessions.py", line 508, in request
    resp = self.send(prep, **send_kwargs)
  File "/usr/local/lib/python3.6/site-packages/requests/sessions.py", line 618, in send
    r = adapter.send(request, **kwargs)
  File "/usr/local/lib/python3.6/site-packages/requests/adapters.py", line 506, in send
    raise SSLError(e, request=request)
requests.exceptions.SSLError: HTTPSConnectionPool(host='localhost', port=1979): Max retries exceeded with url: /companies/urls (Caused by SSLError(SSLError("bad handshake: Error([('SSL routines', 'tls_process_server_certificate', 'certificate verify failed')],)",),))

I am using the requests library, using instructions here - http://docs.python-requests.org/en/master/user/advanced/?highlight=ssl#client-side-certificates

Good day!

This project is something I've been dreaming to happen for a long time. And now it is ready for Windows so a dream comes true) Thanks for this!

I did try to install and make it work, but could not cope and do not know what to do next.

What I did:

1. Downloaded mkcert-v1.1.2-windows-amd64.exe from here.
2. Moved the file to a folder in Windows path and renamed it to mkcert.exe so it could be called from cmd with just mkcert.
3. In cmd ran mkcert -install. There was a popup to confirm adding local CA to trusted system store (or something like that). I agreed. There was all the expected messages in the cmd. Two files were added to C:\Users\ХХХ\AppData\Local\mkcert\: rootCA.pem and rootCA-key.pem.
4. Ran mkcert test.xyz. Two files were added to C:\Users\XXX\: test.xyz.pem and test.xyz-key.pem (is it the right place to add them???)
5. Launched a local dev server with the test.xyz configured to be served both on http and https.
6. Opened Chrome (Firefox is said to be not supported). Entered https://test.xyz in the address bar.
7. Got an ERR_SSL_SERVER_CERT_BAD_FORMAT error.

What did i do wrong? How can I debug?

This error appears when i do "mkcert -install"

ERROR: failed to execute "certutil -A": exit status 255

certutil: function failed: SEC_ERROR_LEGACY_DATABASE: The certificate/key database is in an old, unsupported format.

On macOS Mojave 10.14 (18A391) using iTerm2 Build 3.2.5 and zsh 5.6.2 (x86_64-apple-darwin18.0.0)
and Homebrew 1.8.1 Homebrew/homebrew-core (git revision d338a; last commit 2018-11-01)

Installed mkcert with:

# brew install mkcert
# brew install nss

Then running command mkcert -install fails with:

Created a new local CA at "/Users/tommasoricci/Library/Application Support/mkcert" 💥
The local CA is now installed in the system trust store! ⚡️
The local CA is now installed in the Firefox trust store (requires browser restart)! 🦊
ERROR: failed to execute "keytool -list": fork/exec bin/keytool: no such file or directory

I've been trying to get local https to work forever, you should post in the the top StackOverflow questions:

https://stackoverflow.com/questions/7580508/getting-chrome-to-accept-self-signed-localhost-certificate
https://stackoverflow.com/search?q=self+signed+certificate

Many companies have internal CAs and wish for them to be installed. If -install took a certificate that would allow operators a "one command" type install.

$ mkcert -install company-ca.pem 

$ cat company-ca.pem | mkcert -install

Does this certificate work for mitm ssl capture?

I use Firefox Developer Edition. I also install apps in $HOME/Applications. I've symlinked $HOME/Applications/Firefox Developer Edition.app to /Applications/Firefox.app in an effort to possibly solve this mkcert issue. Perhaps I've solved it given the output I see:

→ mkcert -install
Using the local CA at "/Users/[user]/Library/Application Support/mkcert" ✨
Installing in Firefox failed. Please report the issue with details about your environment at https://github.com/FiloSottile/mkcert/issues/new 👎
Note that if you never started Firefox, you need to do that at least once.
The local CA is now installed in the Firefox trust store (requires browser restart)! 🦊

But I'm a bit confused about what's actually happened. "Using local CA... Firefox installation failed... local CA is now installed in Firefox..."

That said, I have made good use of mkcert: system keychain trusts the root, certs are created for local vhosts, paths to ipv4 & ipv6 pem files are correctly set in Nginx conf files, browsers are validating the certs... but perhaps I'm taking the long way around it.

Any clarification would be greatly appreciated.

Hi, while I don't have a use case for mkcert, I've just recently written a shell script which inserts a CA into all browser profiles for a user, and I thought I just leave some hints here:

• For Firefox, the cert needs to be inserted into each NSS db in each profile directory within ~/.mozilla/firefox, using certutil. The code in truststore_firefox.go looks good already
• For Chromium (and probably also Chrome), there's a central NSS db in ~/.pki/nssdb into which the certificate can be added via certutil, very similar to Firefox

That should do the trick for Linux for the most widely used browsers at least (which should cover like 90% of the use cases out there).

Adding the certificate to the system's trust store depends on the Linux distribution, it's a lot more complex. For Fedora, the browsers also trust certificates in the system-wide trust store in /etc, on Debian that's not the case: browsers just ignore all system ca certificates.

I'm using this tool with vagrant. The services within vagrant need to communicate with each other and therefore need the ca to accept the certificates.
To add the ca I first need to get the certificate. While it is rather easy to find a command to simplify it even more would be nice.

One or both of the following might be useful:
mkcert -capath that just returns the path to rootCA.pem
mkcert -cacopy <path> that copies the rootCA.pem to <path>

As this tools aims to make stuff as easy as possible this might be a good addition as it takes away the extra step figuring out the path of the ca certificate.

I'm looking to leverage this on internally hosted Home Assistant and they have a Nginx proxy. I want to be able to access the web application via something like "https://hassio.local". I can create the cert and the key with mkcert but the Nginx addon for HA needs the fullchain.

Hey Filippo,
Thanks for putting together this tool -- I hacked a solution for this use case on Windows before and it was not easy to do.

The first thing I tried was to create a wildcard cert:

ERROR: "*.test.com" is not a valid hostname or IP

This regex doesn't allow asterisks which is at least part of the issue:
https://github.com/FiloSottile/mkcert/blob/master/main.go#L104

Should we support this?

Cheers! 🦄

mkcert example.com '*.example.org' myapp.dev localhost 127.0.0.1 ::1 creates the certificate and chain at /Users/WARL0CK/Library/Application Support/mkcert successfully.

nginx running at localhost:80 doesn't reflect https on any browser, even after multiple cert builds and server restarts.

Am running this on macOS High Sierra Version 10.13.5.

I am trying to run mkcert within Ubuntu on Windows 10. While reading this guide on how to create a Slate theme for Shopify, I downloaded brew on my Ubuntu terminal, then ran brew install mkcert. Now, for some reason, when I run mkcert -install, it returns:

error: unknown option `i'

Further, when I tried to run brew remove mkcert in an attempt to uninstall and reinstall, mkcert didn't actually get removed during that process and it's just kind of stuck like that now. Has anyone ever seen this before?

It's even doing the same thing when I download from Chocolatey in Powershell.

I'm not an expert in this matter, but I really need help as I exhausted all the resources I had available (SO mostly).
So, what I need is to be capable to communicate over "https" with a local OWIN server (hosted inside a console application). Until now what I was doing was to generate a self-signed-certificate (from Windows), add it to the windows certificate store and then register it to the localhost for a specific port as follows :

netsh http add urlacl url=https://localhost:1234/ user=Everyone
netsh http add sslcert ipport=0.0.0.0:1234 certhash= appid={generate-guid}

This doesn't work properly and I will receive an 'ugly' : "Not Secure" mark form chrome browser.
What I tried to do with your application was to generate a certificate (in either .pem or .p12 format) , import it in the 'Local Computer->Trusted root' certificates store and then try to use it in the manner described above - where the <cert-thumb...> will be the thumbprint of the "mkcert" generated certificate.
I was not able to get to any successful result as I will always received:

"SSL Certificate add failed, Error: 1312
A specified logon session does not exist. It may already have been terminated. "

Can you please give me a couple of pointers on how to use your application in Windows in order to get a proper local-certificate ?
Btw - after executing "mkcert -install" I will receive :

D:_Projects\localhost-certificate>mkcert -install
Using the local CA at "C:\Users\bogdan\AppData\Local\mkcert" ✨
Note: Firefox support is not available on your platform.

What is different from this message and the one that you are presenting is the mention that :
The local CA is now installed in the system trust store! - which I don't have in my case.

Thank you in advance.