mkcert - No config certificate authority tool

Mkcert is go-lang project, which is super easy tool to setup certificate authority without any configuration. Using certificates are inevitable these days, data should be transferred in a secure communication channel. Buying a certificate is expensive and mostly companies buy certificates only for production systems. In Dev setup, if we use self-signed certificate then there will be trust errors. mkcert automatically creates and installs a local CA in the system root store, and generates locally-trusted certificates.

Installation

Follow below steps to setup certificate authority

Mkcert tool can be downloaded directly from git hub project as shown below

curl -o mkcert -L
    'https://github.com/FiloSottile/mkcert/releases/download/v1.1.0/mkcert-v1.1.0-linux-amd64'

In the releases page, downloads are available specific for Windows, MacOS and Linux. Change the mkcert file as executable

chmod +x mkcert

Install the mkcert in your box

./mkcert -install

Once installed the certificate and private key of certificate authority will be available in mkcert root path. Mkcert root path can be found from the below command

./mkcert -CAROOT

Run the mkcert to generate certificate and key from the installed CA with the host names requested in the command. Certificate and keys will be generated with hostnames like localhost.pem and localhost-key.pem, similarly for 127.0.0.1 will be available in current directory.

./mkcert localhost 127.0.0.1

Let's verify how it works?

Now certificate authority is available in your trusted certificate authority store. It can be verified by checking in following path

cd /etc/ssl/certs/
ls | grep -i mkcert

Start a server in SSL mode to have https connectivity. Here we are using nodejs to start simple server. Install the http-server (Prerequisite npm and nodejs should be installed).

 npm install -g http-server

Start the http server with the port and ssl having generated certificate(localhost.pem) and key(localhost-key.pem).

 http-server -p 8080 --ssl --cert localhost.pem --key localhost-key.pem

So now hitting the url( https://localhost:8080 ) through browser or the curl command will show up page with text message saying the server is running in this port. If the server is started with self-signed cert, it will show insecure in the browser.

Mkcert creates certificate authority root certificate and key which has chain of certificate authority linked to let’s encrypt certificate authority. Let’sencyrpt certificate authority is a free, automated and open source certificate authority. It will be the intermediate chain of trust for the certificate authority installed by mkcert. It automatically renews the CA certificate and updates the certificate authority store. To know more about LetsEncrypt, please refer https://letsencrypt.org/docs/

End entity Certificate authority installed when mkcert installed. When mkcert runs with host names, it generates the private key and creates the certificate from the locally installed CA. This certificate used while server startup with ssl mode. When a client access the server, this certificate issued to client which in turn verifies the certificate authority present in the issued certificate. The certificate authority is nothing but installed by mkcert and available in the certificate trust store so handshake happens successfully.

This works well for the local development purpose, integration and security testing. If we are using the self signed certificate, certificate exception has to be accepted or ignored at the automated integration testing or security testing.

Use CA in multiple machines?

The certificate authority is security aspect which doesn’t depend on platforms. Same CA can also be used on Mac / Mobile / Tablet devices.  Root CA can be copied to other machines trust store and run mkcert so it will be common CA for
multiple machines. It might help for distributed system to have common CA instead of having
CA for each node.

Reference:

https://github.com/FiloSottile/mkcert