Convert Figma logo to code with AI

FiloSottile logomkcert

A simple zero-config tool to make locally trusted development certificates with any names you'd like.

48,328
2,494
48,328
146
View on GitHub

Top Related Projects

certbot's avatar

certbot

31,293

Certbot is EFF's tool to obtain certs from Let's Encrypt and (optionally) auto-enable HTTPS on your server. It can also act as a client for any other CA that uses the ACME protocol.

square's avatar

certstrap

2,265

Tools to bootstrap CAs, certificate requests, and signed certificates.

smallstep's avatar

certificates

6,580

🛡️ A private certificate authority (X.509 & SSH) & ACME server for secure automated certificate management, so you can use TLS everywhere & SSO for SSH.

cloudflare's avatar

cfssl

8,649

CFSSL: Cloudflare's PKI and TLS toolkit

OpenVPN's avatar

easy-rsa

4,030

easy-rsa - Simple shell based CA utility

letsencrypt's avatar

boulder

5,173

An ACME-based certificate authority, written in Go.

Quick Overview

mkcert is a simple tool for making locally-trusted development certificates. It requires no configuration and automatically creates and installs a local CA in the system root store. This allows developers to quickly set up HTTPS for local development environments without browser security warnings.

Pros

  • Easy to use with zero configuration required
  • Automatically creates and installs a local Certificate Authority
  • Works across multiple platforms (Windows, macOS, Linux)
  • Supports multiple domains and wildcards

Cons

  • Not suitable for production use or public-facing servers
  • Requires root/administrator access for initial setup
  • May interfere with existing local CAs if not managed carefully
  • Limited to local development environments only

Getting Started

  1. Install mkcert:

    # On macOS using Homebrew
brew install mkcert
brew install nss # if you use Firefox

# On Windows using Scoop
scoop bucket add extras
scoop install mkcert

  2. Install the local CA:

    mkcert -install

  3. Generate certificates:

    mkcert example.com "*.example.com" localhost 127.0.0.1 ::1

This will create a certificate valid for example.com, *.example.com, localhost, 127.0.0.1, and ::1, signed by your local CA.

Competitor Comparisons

certbot logo

certbot

31,293

Certbot is EFF's tool to obtain certs from Let's Encrypt and (optionally) auto-enable HTTPS on your server. It can also act as a client for any other CA that uses the ACME protocol.

Pros of certbot

  • Provides official Let's Encrypt certificates for public domains
  • Supports automatic renewal of certificates
  • Offers plugins for various web servers and operating systems

Cons of certbot

  • More complex setup and configuration process
  • Requires public domain and server access
  • Not suitable for local development or internal networks

Code comparison

mkcert:

mkcert example.com "*.example.com" example.test localhost 127.0.0.1 ::1

certbot:

certbot certonly --standalone -d example.com -d www.example.com

mkcert focuses on simplicity for local development, generating trusted certificates with a single command. certbot is designed for production environments, requiring more configuration but providing official Let's Encrypt certificates.

mkcert is ideal for developers working on local projects or internal networks, while certbot is better suited for public-facing websites and servers requiring valid SSL/TLS certificates.

Both tools serve different purposes: mkcert simplifies local development with self-signed certificates, while certbot automates the process of obtaining and renewing official certificates for production environments.

square logo

certstrap

2,265

Tools to bootstrap CAs, certificate requests, and signed certificates.

Pros of certstrap

  • More flexible and customizable, allowing for advanced certificate configurations
  • Supports generating intermediate CAs and client certificates
  • Provides a command-line interface for easier integration into scripts and automation

Cons of certstrap

  • Less user-friendly for beginners compared to mkcert's simplicity
  • Requires more manual configuration and understanding of PKI concepts
  • Lacks automatic installation of root certificates in system/browser trust stores

Code Comparison

mkcert:

mkcert example.com "*.example.com" localhost 127.0.0.1 ::1

certstrap:

certstrap init --common-name "Example CA"
certstrap request-cert --domain example.com
certstrap sign example.com --CA "Example CA"

mkcert focuses on simplicity and ease of use, automatically handling trust store installation and supporting multiple domains in a single command. certstrap offers more granular control over the certificate generation process, requiring separate steps for initialization, certificate requests, and signing.

Both tools are valuable for local development and testing environments, with mkcert being more suitable for quick setups and certstrap offering more advanced features for complex PKI scenarios.

smallstep logo

certificates

6,580

🛡️ A private certificate authority (X.509 & SSH) & ACME server for secure automated certificate management, so you can use TLS everywhere & SSO for SSH.

Pros of certificates

  • More comprehensive PKI solution, offering a full-featured certificate authority
  • Supports various protocols and integrations (e.g., ACME, SCEP, EST)
  • Provides advanced features like certificate revocation and renewal

Cons of certificates

  • More complex setup and configuration compared to mkcert
  • Steeper learning curve for users new to PKI concepts
  • Requires more system resources due to its broader feature set

Code comparison

mkcert:

cert, err := mkcert.NewCertificate([]string{"example.com"}, now, now.Add(365*24*time.Hour))
if err != nil {
    log.Fatal(err)
}

certificates:

cert, err := ca.Sign(&x509.Certificate{
    Subject:     pkix.Name{CommonName: "example.com"},
    NotBefore:   time.Now(),
    NotAfter:    time.Now().Add(365 * 24 * time.Hour),
    KeyUsage:    x509.KeyUsageDigitalSignature,
    ExtKeyUsage: []x509.ExtKeyUsage{x509.ExtKeyUsageServerAuth},
})

Both projects aim to simplify certificate management, but certificates offers a more robust solution for enterprise-level PKI needs, while mkcert focuses on simplicity for local development environments.

cloudflare logo

cfssl

8,649

CFSSL: Cloudflare's PKI and TLS toolkit

Pros of cfssl

  • More comprehensive PKI toolkit with broader functionality
  • Supports advanced features like OCSP and CRL generation
  • Designed for enterprise-level certificate management

Cons of cfssl

  • Steeper learning curve and more complex setup
  • Requires more system resources and dependencies
  • Less user-friendly for simple, local development use cases

Code Comparison

mkcert:

mkcert -install
mkcert example.com "*.example.com" localhost 127.0.0.1 ::1

cfssl:

cfssl gencert -initca ca-csr.json | cfssljson -bare ca
cfssl gencert -ca=ca.pem -ca-key=ca-key.pem -config=config.json \
    -profile=server server.json | cfssljson -bare server

Summary

mkcert is a lightweight, user-friendly tool for generating locally-trusted development certificates. It's ideal for individual developers and small teams working on local projects.

cfssl is a more robust, feature-rich PKI toolkit suitable for enterprise-level certificate management. It offers advanced functionality but requires more setup and expertise to use effectively.

Choose mkcert for quick, easy local development certificates, and cfssl for comprehensive PKI management in larger, more complex environments.

OpenVPN logo

easy-rsa

4,030

easy-rsa - Simple shell based CA utility

Pros of easy-rsa

  • More comprehensive PKI management solution
  • Supports a wider range of certificate types and use cases
  • Better suited for complex enterprise environments

Cons of easy-rsa

  • Steeper learning curve and more complex setup
  • Requires more manual configuration and management
  • Less user-friendly for simple local development scenarios

Code Comparison

mkcert:

mkcert example.com "*.example.com" localhost 127.0.0.1 ::1

easy-rsa:

./easyrsa init-pki
./easyrsa build-ca
./easyrsa gen-req server nopass
./easyrsa sign-req server server

Key Differences

mkcert is designed for simplicity and ease of use, particularly for local development environments. It automatically handles many aspects of certificate creation and installation, making it ideal for developers who need quick, locally-trusted certificates.

easy-rsa, on the other hand, is a more powerful and flexible tool that provides a complete PKI management solution. It's better suited for production environments, VPN setups, and scenarios where more control over the certificate creation process is required.

While mkcert focuses on creating development certificates with minimal configuration, easy-rsa offers a full suite of PKI management tools, including the ability to create and manage Certificate Authorities, generate various types of certificates, and handle certificate revocation.

letsencrypt logo

boulder

5,173

An ACME-based certificate authority, written in Go.

Pros of boulder

  • Provides publicly trusted certificates for production use
  • Supports automated certificate issuance and renewal
  • Implements the ACME protocol for standardized certificate management

Cons of boulder

  • Complex setup and infrastructure requirements
  • Primarily designed for running a Certificate Authority, not local development
  • Steeper learning curve for individual developers

Code comparison

mkcert:

func installPlatformDependencies() {
    switch runtime.GOOS {
    case "darwin":
        installDarwin()
    case "linux":
        installLinux()
    case "windows":
        installWindows()
    }
}

boulder:

func (ra *RegistrationAuthorityImpl) NewAuthorization(ctx context.Context, authz core.Authorization, regID int64) (core.Authorization, error) {
    if !authz.IsValid() {
        return core.Authorization{}, berrors.InternalServerError("invalid authorization")
    }
    // ... (additional implementation)
}

Summary

mkcert is a lightweight tool for creating locally-trusted development certificates, while boulder is a comprehensive implementation of a Certificate Authority. mkcert is easier to use for local development, but boulder provides production-ready, publicly trusted certificates. The code snippets highlight the difference in complexity, with mkcert focusing on cross-platform support for local installations, and boulder implementing more complex certificate authority functions.

Convert Figma logo designs to code with AI

Visual Copilot

Introducing Visual Copilot: A new AI model to turn Figma designs to high quality code using your components.

Try Visual Copilot

README

mkcert

mkcert is a simple tool for making locally-trusted development certificates. It requires no configuration.

$ mkcert -install
Created a new local CA 💥
The local CA is now installed in the system trust store! ⚡️
The local CA is now installed in the Firefox trust store (requires browser restart)! 🦊

$ mkcert example.com "*.example.com" example.test localhost 127.0.0.1 ::1

Created a new certificate valid for the following names 📜
 - "example.com"
 - "*.example.com"
 - "example.test"
 - "localhost"
 - "127.0.0.1"
 - "::1"

The certificate is at "./example.com+5.pem" and the key at "./example.com+5-key.pem" ✅

Chrome and Firefox screenshot

Using certificates from real certificate authorities (CAs) for development can be dangerous or impossible (for hosts like example.test, localhost or 127.0.0.1), but self-signed certificates cause trust errors. Managing your own CA is the best solution, but usually involves arcane commands, specialized knowledge and manual steps.

mkcert automatically creates and installs a local CA in the system root store, and generates locally-trusted certificates. mkcert does not automatically configure servers to use the certificates, though, that's up to you.

Installation

Warning: the rootCA-key.pem file that mkcert automatically generates gives complete power to intercept secure requests from your machine. Do not share it.

macOS

On macOS, use Homebrew

brew install mkcert
brew install nss # if you use Firefox

or MacPorts.

sudo port selfupdate
sudo port install mkcert
sudo port install nss # if you use Firefox

Linux

On Linux, first install certutil.

sudo apt install libnss3-tools
    -or-
sudo yum install nss-tools
    -or-
sudo pacman -S nss
    -or-
sudo zypper install mozilla-nss-tools

Then you can install using Homebrew on Linux

brew install mkcert

or build from source (requires Go 1.13+)

git clone https://github.com/FiloSottile/mkcert && cd mkcert
go build -ldflags "-X main.Version=$(git describe --tags)"

or use the pre-built binaries.

curl -JLO "https://dl.filippo.io/mkcert/latest?for=linux/amd64"
chmod +x mkcert-v*-linux-amd64
sudo cp mkcert-v*-linux-amd64 /usr/local/bin/mkcert

For Arch Linux users, mkcert is available on the official Arch Linux repository.

sudo pacman -Syu mkcert

Windows

On Windows, use Chocolatey

choco install mkcert

or use Scoop

scoop bucket add extras
scoop install mkcert

or build from source (requires Go 1.10+), or use the pre-built binaries.

If you're running into permission problems try running mkcert as an Administrator.

Supported root stores

mkcert supports the following root stores:

  • macOS system store
  • Windows system store
  • Linux variants that provide either
    • update-ca-trust (Fedora, RHEL, CentOS) or
    • update-ca-certificates (Ubuntu, Debian, OpenSUSE, SLES) or
    • trust (Arch)
  • Firefox (macOS and Linux only)
  • Chrome and Chromium
  • Java (when JAVA_HOME is set)

To only install the local root CA into a subset of them, you can set the TRUST_STORES environment variable to a comma-separated list. Options are: "system", "java" and "nss" (includes Firefox).

Advanced topics

Advanced options

	-cert-file FILE, -key-file FILE, -p12-file FILE
	    Customize the output paths.

	-client
	    Generate a certificate for client authentication.

	-ecdsa
	    Generate a certificate with an ECDSA key.

	-pkcs12
	    Generate a ".p12" PKCS #12 file, also know as a ".pfx" file,
	    containing certificate and key for legacy applications.

	-csr CSR
	    Generate a certificate based on the supplied CSR. Conflicts with
	    all other flags and arguments except -install and -cert-file.

Note: You must place these options before the domain names list.

Example

mkcert -key-file key.pem -cert-file cert.pem example.com *.example.com

S/MIME

mkcert automatically generates an S/MIME certificate if one of the supplied names is an email address.

mkcert filippo@example.com

Mobile devices

For the certificates to be trusted on mobile devices, you will have to install the root CA. It's the rootCA.pem file in the folder printed by mkcert -CAROOT.

On iOS, you can either use AirDrop, email the CA to yourself, or serve it from an HTTP server. After opening it, you need to install the profile in Settings > Profile Downloaded and then enable full trust in it.

For Android, you will have to install the CA and then enable user roots in the development build of your app. See this StackOverflow answer.

Using the root with Node.js

Node does not use the system root store, so it won't accept mkcert certificates automatically. Instead, you will have to set the NODE_EXTRA_CA_CERTS environment variable.

export NODE_EXTRA_CA_CERTS="$(mkcert -CAROOT)/rootCA.pem"

Changing the location of the CA files

The CA certificate and its key are stored in an application data folder in the user home. You usually don't have to worry about it, as installation is automated, but the location is printed by mkcert -CAROOT.

If you want to manage separate CAs, you can use the environment variable $CAROOT to set the folder where mkcert will place and look for the local CA files.

Installing the CA on other systems

Installing in the trust store does not require the CA key, so you can export the CA certificate and use mkcert to install it in other machines.

  • Look for the rootCA.pem file in mkcert -CAROOT
  • copy it to a different machine
  • set $CAROOT to its directory
  • run mkcert -install

Remember that mkcert is meant for development purposes, not production, so it should not be used on end users' machines, and that you should not export or share rootCA-key.pem.