Development
mkcert
Create locally trusted TLS/SSL certificates for development.
Additional Notes
mkcert is a simple tool for creating locally trusted TLS certificates. It generates certificates signed by a local certificate authority (CA) that you install into the system trust store, so browsers and tools accept them as valid without security warnings.
It solves the common development problem of HTTPS certificates for localhost, 127.0.0.1, or internal network names. Instead of bypassing browser security warnings or using self-signed certificates, mkcert creates certificates that are fully trusted by your operating system and browser.
Syntax
mkcert [options] domain-or-ip...
Parameters
domain-or-ip: One or more hostnames or IP addresses to include in the certificate (e.g.,localhost,127.0.0.1,dev.local,*.test).
Common Options
-install: Generate and install the local CA certificate into the system trust store.-uninstall: Remove the local CA from the system trust store.-cert-file file: Specify the output path for the certificate file.-key-file file: Specify the output path for the key file.-pkcs12: Generate a PKCS#12 (.p12) file instead of PEM.-client: Generate a client certificate for client authentication.-ecdsa: Generate an ECDSA key instead of RSA.-CAROOT: Print the path to the CA files and exit.
Examples
mkcert -install
Create and install a local CA into the system trust store.
mkcert localhost 127.0.0.1 ::1
Generate a certificate for localhost addresses.
mkcert dev.local "*.dev.local"
Generate a certificate for a development domain and its wildcard.
mkcert -cert-file cert.pem -key-file key.pem example.test
Generate a certificate with custom output filenames.
mkcert -pkcs12 localhost
Generate a certificate in PKCS#12 format (for Java, Windows, etc.).
mkcert -uninstall
Remove the local CA from the system trust store.
mkcert -CAROOT
Show the location of the CA certificate and key files.
Integrating with Development Servers
mkcert localhost
# Creates localhost.pem and localhost-key.pem
# Use these with your server:
# node: https.createServer({ key, cert })
# python: python -m http.server --cert localhost.pem 443
mkcert -install
npm run dev
Many frameworks (Vite, Webpack dev server, etc.) automatically detect mkcert certificates.
Practical Notes
- Run
mkcert -installonce to set up the local CA. This creates and trusts a root CA certificate. - Certificates are generated per-project or per-use. They are valid for 2 years by default.
- The CA root certificate must be installed on each machine that needs to trust the certificates.
- For CI/CD or containers,
mkcertCA setup can be scripted. - Firefox uses its own certificate store;
mkcert -installhandles this automatically ifcertutilis available. - The generated certificate and key files are PEM-encoded and compatible with most servers.