mkcert for Local TLS

Local development TLS without certificate fights.

Install

mkcert is a tool for generating locally-trusted TLS certificates. Engineers developing applications that require HTTPS use mkcert; the discipline enables HTTPS in local development without security warnings.

What installation provides:

• mkcert -install adds a local CA to system trust.: The command creates a local certificate authority and installs it in the system's trust store. The browser trusts the CA; certificates issued by it are valid.
• One-time setup per workstation.: The installation is one-time. Subsequent certificate generation uses the already-installed CA; the discipline is bounded.
• Per-OS handling.: mkcert handles platform differences. macOS Keychain, Windows certificate store, Linux trust store all are handled; the discipline is consistent across platforms.
• Browser-specific.: Some browsers maintain their own trust stores. mkcert handles Firefox; other browsers may need additional configuration.
• Per-engineer CA.: Each engineer's mkcert CA is theirs. Certificates work on their machine; not shared across the team; the discipline is local.

Installation is bounded. The team's discipline includes mkcert in the development environment setup.

Usage

Once installed, mkcert generates certificates on demand. The discipline is fast certificate creation for local development.

• mkcert example.test generates cert for the local domain.: The command produces certificate and key files for the specified domain. The files can be used immediately.
• Signed by your local CA.: The certificate is signed by the locally-trusted CA. The browser accepts it; no security warnings; the discipline produces working HTTPS.
• Trusted by your browser.: The browser's trust store includes the mkcert CA. The certificate is automatically trusted; the discipline is seamless.
• Multiple SANs.: mkcert supports multiple domain names per certificate. localhost, *.example.test, 127.0.0.1 can all be in one cert; the discipline accommodates complex setups.
• Standard formats.: The output is in standard formats. Web servers, application frameworks, all consume them; the discipline integrates with existing tooling.

Usage is fast. The engineer's HTTPS setup is bounded effort.

When

mkcert is reached for when local HTTPS is needed. OAuth callbacks, secure cookies, browser features that require HTTPS all benefit.

• Local dev requiring HTTPS.: Applications that need HTTPS in development benefit. The discipline produces realistic local environments matching production.
• OAuth callbacks.: OAuth providers often require HTTPS for callbacks. The discipline accommodates this; local OAuth integration testing works.
• Secure cookies.: Cookies marked Secure only flow over HTTPS. Local development of cookie-using applications requires HTTPS; mkcert provides it.
• Saves the unsecured browser warnings.: Without mkcert, self-signed certificates produce browser warnings. Engineers ignore the warnings; the discipline trains bad habits. mkcert eliminates the warnings.
• Don't use in production.: mkcert is for development. Production uses real certificates from Let's Encrypt or similar; the discipline is bounded to development.

mkcert for local TLS is one of those development tooling skills that pays off in HTTPS-requiring development. Nova AI Ops integrates with development tooling, surfaces patterns, and supports the team's local development discipline.