Happy little green certificates
My good friend and colleague Grant Orchard always called me a heathen for not used trusted certificates in my lab and demos. He was right. I was espousing the principals of do as I say not as I do.
So short of running my own CA infrastructure what was I to do? The ever so smart Filippo Valsorda of CloudFlare/Google fame solved this. He wrote mkcert. In his words:
mkcert is a simple tool for making locally-trusted development certificates. It requires no configuration.
It is exactly that.
I’ll assume you’re using Homebrew (if you’re not please grab it! The macOS package manager that you need). Just run the following:
Brew install mkcert mkcert -install
If you’re using Firefox as your browser you will need some additional packages.
Brew install nss
Now you’re cooking with gas!
Creating a cert
Lets look below at how straight forward it is to make a certificate trusted by the local machine.
mkcert opsman-01a.corp.local Using the local CA at "/Users/aburke/Library/Application Support/mkcert" Created a new certificate valid for the following names - "opsman-01a.corp.local" The certificate is at "./opsman-01a.corp.local.pem" and the key at "./opsman-01a.corp.local-key.pem"
Being a little spicy
It is possible to copy your rootCA that is stored at
$CAROOT to another machine. This allows it to trust the same certs you’ve generated. This works well for me as I use two machines and want green browser bars. I do forewarn that this is not best practice and this should be done in a lab!
With that said – this in conjunction with trust of the certificate store via iCloud Sync Keychain is a nice combo. Accept a certificate for
log-01a.corp.local on my MacBook and my iMac automatically accepts it.
/Users/aburke/Library/Application\ Support/mkcert/rootCA-key.pem CAROOT="/Users/aburke/Library/Application Support/mkcert" echo $CAROOT /Users/aburke/Library/Application Support/mkcert mkcert -install Using the local CA at "/Users/aburke/Library/Application Support/mkcert"
By default when you run
mkcert -install it looks for the root certification location under
$CAROOT. If this is not populated it will generate a default.
Log Insight and many applications require the certificate chain uploaded. This is the signing cert, the key, and the private key. This can be done by catting the content of the files and piping the output to a new file.
cat log-01a.corp.local.pem log-01a.corp.local-key.pem /Users/aburke/Library/Application\ Support/mkcert/rootCA.pem > log-01a-chain.pem
With that you can easily upload it to your signed certificate.
mkcert provides a very easy to use local CA which you can use for local development, key generation, and test environments. You could even add it to local runtime or automation scripts to generate certificates on the fly. Remember – Don’t use this in production, please!