[HN Gopher] Mkcert: Simple zero-config tool to make locally trus... ___________________________________________________________________ Mkcert: Simple zero-config tool to make locally trusted development certificates Author : thunderbong Score : 192 points Date : 2022-10-29 11:30 UTC (2 days ago) (HTM) web link (github.com) (TXT) w3m dump (github.com) | ddoolin wrote: | I just found this last week when setting up some local network | server bits and it was just perfect. Thank you! | PaulBGD_ wrote: | We use this with vite-plugin-mkcert to provide https localdev | with just the installation of mkcert from homebrew. Wayyyy | simpler than any other method of providing localdev https. | FiloSottile wrote: | _o/ author here! mkcert is definitely my most popular tool, and | it's always a delight to see how it makes developers' lives | easier and how happy they are about it <3 | | Something that I wonder about from time to time is how "done" is | mkcert. A lot of its value is in simplicity, so I've rejected | attempts to make it more of a toolkit to generate all sorts of | certificates (although I see the value in being able to edit the | expiration and other fields). The only thing on my TODO is | splitting the trust stores out into an importable package for | other tools to use. Maybe that will act as a release valve for | other use cases. | | In a sense, mkcert will never be done because its job is also to | keep up with browser requirements for you, but that goes in | waves, and not much has changed in the last couple years. (Unlike | the first years of mkcert, when things were really a moving | target.) Similarly, it has to keep up with new trust stores and | ways to install into them, and we might be overdue for a pass of | that, but these are not really new features, just maintenance. | | Previously: | | _Mkcert: Tool for making locally-trusted development | certificates_ -- https://news.ycombinator.com/item?id=17748208 -- | Aug 2018 (39 comments) | | _Show HN: Mkcert - Valid HTTPS certificates for localhost_ -- | https://news.ycombinator.com/item?id=18842218 -- Jan 2019 (118 | comments) | codegeek wrote: | Thanks you for making it and keeping it simple. I agree that | the simplicity is what makes it great to use for localhost | testing. Big fan of this tool since I found it. | lifepillar wrote: | Thanks for this tool! I found it when Apple started enforcing | stricter requirements for certificates, and the commands I was | using to create certificates at the time had become inadequate. | I have since used mkcert to generate dozen of certificates for | my local network, which work on any service and device. | | The only drawback of mkcert is that it makes you forget the | steps needed to make a certificate! | jzelinskie wrote: | No matter what I work on and how complex, mkcert is always | there for my dev environment. In combination with cert- | manager's CA support[0], even TLS for Kubernetes development | environments is simple as it gets. | | Thanks Filippo! | | [0]: https://cert-manager.io/docs/configuration/ca/ | dainiusse wrote: | This should be part of openssl :) | philkuz wrote: | We use it at Pixie to easily setup certs for our self hosted | users. Amazing tool. | dang wrote: | Related: | | _Serve your local website on HTTPS with mkcert_ - | https://news.ycombinator.com/item?id=23653455 - June 2020 (1 | comment) | | _Show HN: Mkcert - Valid HTTPS certificates for localhost_ - | https://news.ycombinator.com/item?id=18842218 - Jan 2019 (115 | comments) | | _Mkcert: Tool for making locally-trusted development | certificates_ - https://news.ycombinator.com/item?id=17748208 - | Aug 2018 (38 comments) | nezirus wrote: | For local (GUI!) tools I find XCA (https://hohnstaedt.de/xca/) | excellent. It has a few ready to fo templates out of the box, and | you can make your own. | KronisLV wrote: | Personally, I've also had decent experiences with Keystore | Explorer: https://keystore-explorer.org/ | | I actually wrote about using it on my blog, which has plenty of | screenshots: https://blog.kronis.dev/tutorials/lets-run-our- | own-ca | | It's pretty good for having your own simple CA, self signed | certificates or anything of the sort, as well as having a nicer | interface for anything that's not one of the ACME providers | (e.g. Let's Encrypt) or when you don't need CLI or automation. | pastage wrote: | Support for npm, python, emacs, cygwin would be nice. Better yet | run away if someone suggests a custom CA, it is not worth it. | justin_oaks wrote: | This says it's not meant for production use. | | Does anyone know of something that is meant for production use | for generating in-house certificate authorities and signing | certificates? | | I've used scripts I've written myself that run OpenSSL commands. | They get the job done, but they're not the kind of thing that | fits all use cases, and they're not user-friendly. | | I've tried EasyRSA which is not particularly easy either. It | requires some unexpected use of environment variables, and I | didn't find the documentation very clear either. | NovemberWhiskey wrote: | Hashicorp Vault is an obvious one. Microsoft Active Directory | Certificate Service is another. | | If you're looking for a service-oriented offering, maybe think | about Keyfactor, Venafi ... do you already have a PKI that you | need to integrate with, etc? | rad_gruchalski wrote: | cfssl is what I use, usually a root + intermedia ca, and leaf | certs, works really well with cert manager in kubernetes. | | https://github.com/cloudflare/cfssl | groffee wrote: | Let's Encrypt? https://letsencrypt.org/ | justin_oaks wrote: | Using an external service as a way of setting up internal- | only certificates? No thanks. | hisnameishank wrote: | It's not hard to make a CA. | | Make a key for your CA, make an SSL key for your sever, | sign the key with your CA and add the CA to your in-house | browser/list of trusted CAs. | tialaramex wrote: | Intuitively this seems reasonable, but, as a sense check I | want to put the other side: Not necessarily with the goal | that you change your mind, but that you didn't end up just | doing what was intuitive without weighing the options. | | The public CAs are run pretty well, and they have people | actually overseeing them to verify that remains so, without | you lifting a finger (well, unless you'd like to help | oversee them at least). In contrast a local CA is very | likely to be poorly run, because it's not really anybody's | actual job to do it properly, you can't justify the expense | [If you're Google, then, sure, you can justify the expense | but also you are not asking about this on HN] to train | them, they can't afford the time and effort to do their | best work. | | The public CAs are almost certainly not going to lose their | root private key, if bad guys _do_ steal the root key for a | CA, it 'll make news and also you almost certainly aren't | the target, in contrast the root key for your private CA | probably lives on somebody's laptop (which can be left on a | train) or a server somewhere. | | There's good tooling for the public CAs. Your software | might already come ready to use ACME, and if it doesn't you | will find instructions pretty easily. In contrast although | there are technology stacks for this stuff without the | public CA context, they're not as widespread, particularly | in Free Software, and you may find if you need certs for | five systems that means five separate tools. Or you do it | manually which sucks. | | Everything already trusts the public CAs. It's not | difficult to tell Mac OS, Windows or even a Linux distro to | trust some root CA, but it's an extra step to be done and | if you forget it may be difficult to figure out why things | don't work. For some services that's enough, but if you | also want BYO devices to work that's a nightmare, likewise | for guest devices. | | Names will almost certainly leak anyway. If your goal is to | hide the fact secret-project.example.com exists, I | _strongly_ recommend instead changing it to some- | codename.example.com so that you needn 't care much if the | name leaks. | | None of the above makes _mkcert_ a bad idea - mkcert is for | development. But you should weigh this when deciding | whether internal-git-server.mycorp.example should just use | Let 's Encrypt certificates rather than spinning up an | internal only CA. | [deleted] | adrienthebo wrote: | I've had my eye on | [step](https://github.com/smallstep/certificates) and [step- | ca](https://github.com/smallstep/certificates) for a hot | minute; it's production quality and seems much more pleasant | than the EasyRSA scripts. Haven't tested it but I'd recommend | that as a place to start tinkering. | sreevisakh wrote: | You could use XCA [1] for small scale deployments, or step-ca | [2] for a more comprehensive setup. | | [1] https://www.hohnstaedt.de/xca/ | | [2] https://smallstep.com/docs/step-ca | [deleted] | CSDude wrote: | We use it at our company. Also in CI. Because it's much more | straightforward and everyone can understand what it does. Glad it | exists. | hk1337 wrote: | Is this really needed for the "localhost" name? I understand the | need for this because a lot of people create multiple local | services with specific names other than localhost, so it would be | flagged as not being secure? | codegeek wrote: | It has use cases for localhost. For example, testing Secure | Cookies locally that can only be transmitted over https. | generalizations wrote: | Dumb question alert; can these certs be repurposed to sign | windows binaries for running locally? | | Depending on the environment, windows can be set to prohibit | executing anything that isn't signed....which is annoying on a | dev machine building windows executables. | jackewiehose wrote: | > windows can be set to prohibit executing [...] on a dev | machine building windows executables | | lol @ "dev machine" ?! | chrsig wrote: | seriously useful tool, i've never had setting up locally trusted | certs be any easier. | samgranieri wrote: | I really enjoy this tool making it easier, combined with dnsmasq | and nginx, to spin things up in whatever custom local tld I want | with a secure and trusted development certificate | azornathogron wrote: | I've used this in the past and it has been very convenient! | Thanks Filippo! | | Having said that, nowadays I just bring up a local caddy instance | and use that. Caddy can set up and use a local CA for | development/testing [1]. In my case I'm using caddy on my little | public-facing hobby server anyway, so it's convenient to have a | similar setup in local dev. If I cared about actually getting at | & directly using the certificates myself I'd probably go back to | mkcert. | | [1] https://caddyserver.com/docs/automatic-https#local-https ___________________________________________________________________ (page generated 2022-10-31 23:00 UTC)