Valid SSL certificates for local development

A few weeks ago I bumped into mkcert, a tool written by Filippo, the same guy behind the popular heartbleed test tool.

The tool in question answers one simple need:

By creating a local root CA file that gets installed in your system, making all certificates issued by mkcert trusted:

After downloading the latest release from Github you can simply “install” it by running mkcert -install. Once that is done, you can create your first, trusted (by your own system) certificate:

1
2
3
4
5
6
7
8
$ mkcert somedomain.local

Using the local CA at "/home/alex/.local/share/mkcert" ✨

Created a new certificate valid for the following names πŸ“œ
 - "somedomain.local"

The certificate is at "./somedomain.local.pem" and the key at "./somedomain.local-key.pem" βœ…

For example, here’s how it would look like if you had to boot a node server with SSL support:

1
2
3
4
5
6
7
8
9
10
11
const fs = require('fs')

const options = {
  key: fs.readFileSync(__dirname + '/somedomain.local-key.pem'),
  cert: fs.readFileSync(__dirname + '/somedomain.local.pem')
};

require('https').createServer(options, (req, res) => {
  res.writeHead(200)
  res.end(`Got SSL?`)
}).listen(443)

Pretty neat, ah? What mkcert does is to simply add another CA file in your system (I guess under /etc/ssl/certs/ca-certificates.crt, but I’m not entirely sure) so that browsers consider these certificates trusted — a nice workaround to trick any HTTP client.

Adios!


Hi there! I recently wrote an ebook on web application security, currently sold on leanpub, the Amazon Kindle store and gumroad.

It contains 150+ pages of content dedicated to securing web applications and improving your security awareness when building web apps, with chapters ranging from explaining how to secure HTTP cookies with the right flags to understanding why it is important to consider joining a bug bounty program.

Feel free to skim through some of the free chapters published on this blog and, if the content seems interesting enough to you, grab a copy on leanpub, the Amazon Kindle store, gumroad or simply checkout right down below!

Buy the Web Application Security ebook for $6.99

In the mood for some more reading?

...or check the archives.