Happy little green certificates

My good friend and colleague Grant Orchard always called me a heathen for not used trusted certificates in my lab and demos. He was right. I was espousing the principals of do as I say not as I do.

So short of running my own CA infrastructure what was I to do? The ever so smart Filippo Valsorda of CloudFlare/Google fame solved this. He wrote mkcert. In his words:

mkcert is a simple tool for making locally-trusted development certificates. It requires no configuration.

It is exactly that.


I’ll assume you’re using Homebrew (if you’re not please grab it! The macOS package manager that you need). Just run the following:

Brew install mkcert
mkcert -install

If you’re using Firefox as your browser you will need some additional packages.

Brew install nss

Now you’re cooking with gas!

Creating a cert

Lets look below at how straight forward it is to make a certificate trusted by the local machine.

mkcert opsman-01a.corp.local
Using the local CA at "/Users/aburke/Library/Application Support/mkcert" 

Created a new certificate valid for the following names 
 - "opsman-01a.corp.local"

The certificate is at "./opsman-01a.corp.local.pem" and the key at "./opsman-01a.corp.local-key.pem" 

Pivotal ops man

Being a little spicy

It is possible to copy your rootCA that is stored at $CAROOT to another machine. This allows it to trust the same certs you’ve generated. This works well for me as I use two machines and want green browser bars. I do forewarn that this is not best practice and this should be done in a lab!

With that said – this in conjunction with trust of the certificate store via iCloud Sync Keychain is a nice combo. Accept a certificate for log-01a.corp.local on my MacBook and my iMac automatically accepts it.


/Users/aburke/Library/Application\ Support/mkcert/rootCA-key.pem

CAROOT="/Users/aburke/Library/Application Support/mkcert"

echo $CAROOT
/Users/aburke/Library/Application Support/mkcert

mkcert -install

Using the local CA at "/Users/aburke/Library/Application Support/mkcert"

By default when you run mkcert -install it looks for the root certification location under $CAROOT. If this is not populated it will generate a default.

Generating Chains

Log Insight and many applications require the certificate chain uploaded. This is the signing cert, the key, and the private key. This can be done by catting the content of the files and piping the output to a new file.

cat log-01a.corp.local.pem log-01a.corp.local-key.pem /Users/aburke/Library/Application\ Support/mkcert/rootCA.pem > log-01a-chain.pem

With that you can easily upload it to your signed certificate.

Signed certificate

In summary

mkcert provides a very easy to use local CA which you can use for local development, key generation, and test environments. You could even add it to local runtime or automation scripts to generate certificates on the fly. Remember – Don’t use this in production, please!

Leave a Reply

Your email address will not be published. Required fields are marked *