mkcert

Install the local CA in the system trust store

$ mkcert -install

$ mkcert [example.org]

$ mkcert [example.org] [myapp.dev] [127.0.0.1]

$ mkcert "[*.example.it]"

$ mkcert -uninstall

mkcert [-install]
mkcert [-uninstall]
mkcert [-CAROOT <path>] [-key-file <file>] [-cert-file <file>] <domain> [<domain>...]
mkcert [-help]
mkcert [-version]

[...]
    Specifies one or more domain names or IP addresses (e.g., localhost, 127.0.0.1, myapi.dev) for which the certificate will be generated.

-install
    Installs the mkcert local CA into the system trust store(s). This command usually needs to be run once initially to set up trust.

-uninstall
    Uninstalls the mkcert local CA from the system trust store(s), removing its trust.

-CAROOT
    Specifies an alternative directory where the local CA files (private key and certificate) will be stored. Defaults to a standard location in the user's home directory.

-key-file
    Specifies the output path where the generated private key for the certificate will be saved. If not provided, a file named <domain>+<N>-key.pem will be created in the current directory.

-cert-file
    Specifies the output path where the generated certificate will be saved. If not provided, a file named <domain>+<N>.pem will be created in the current directory.

-ecdsa
    Generates an ECDSA (Elliptic Curve Digital Signature Algorithm) private key and certificate instead of the default RSA. ECDSA keys are generally smaller and faster.

-help
    Displays detailed usage information and a list of all available options for mkcert.

-version
    Displays the current version of the mkcert utility.

mkcert is a simple, zero-config tool designed for creating locally trusted SSL/TLS certificates for development. It automates the complex process of setting up HTTPS for local environments, eliminating browser security warnings like "Not Secure" or "Your connection is not private."

When first run, mkcert automatically creates a unique local Certificate Authority (CA) and installs it into the operating system's trust store, as well as common browsers like Firefox, Chrome, Safari, and Edge. This one-time setup ensures that any certificates subsequently generated by mkcert are trusted by your local machine and its applications.

Developers can then use mkcert to generate valid, trusted certificates for localhost, 127.0.0.1, custom domains, or even wildcard domains (e.g., *.dev.test) without needing to manually deal with OpenSSL commands or intricate trust store configurations. It's cross-platform, working seamlessly on Linux, macOS, and Windows, making it an indispensable tool for modern web development.

mkcert is specifically designed for local development and testing environments. Certificates generated are not intended for public-facing production servers and will not be trusted by clients outside your local machine.

The -install and -uninstall commands may require administrator privileges (e.g., using sudo on Linux) to modify system-wide trust stores.

While mkcert tries to install the CA into common browser trust stores, some applications or specific configurations might require manual import of the CA certificate.

Upon first execution of mkcert -install, mkcert generates a unique private Certificate Authority (CA) on your machine. This CA acts as your personal root of trust. It's then installed into your system's and browsers' trust stores, allowing all certificates signed by this CA to be considered valid and trusted by your local environment, bypassing browser security warnings.

mkcert supports generating certificates for multiple domain names and IP addresses simultaneously (e.g., mkcert localhost example.com 192.168.1.1). It also allows for the creation of wildcard certificates (e.g., mkcert '*.dev.test'), which can secure all subdomains under a specified domain with a single certificate, making it highly flexible for complex development setups.

One of mkcert's key strengths is its seamless operation across different operating systems. It functions identically on Linux, macOS, and Windows, abstracting away the underlying differences in trust store management. This ensures a consistent development experience regardless of the host environment.

mkcert was created and open-sourced in 2018 by Filippo Valsorda, a cryptographer and Go developer working at Google. Its primary motivation was to address the common pain point of setting up trusted HTTPS for local development, which historically involved complex OpenSSL commands and manual certificate management. Valsorda designed mkcert to be a simpler, more user-friendly alternative, leveraging Go's robust standard library for cryptography. It quickly gained popularity among developers for its ease of use and cross-platform compatibility, establishing itself as a de-facto standard for local HTTPS setup.

openssl(1), certbot(1), keytool(1)