In the last few years Google have been actively promoting but also mandating a move to a secure web. However, HTTPS apps and websites require TLS certificates, and while deployment is increasingly a solved issue thanks to Let’s Encrypt and their ACME protocol, development still mostly ends up happening over HTTP because no one can get a universally valid certificate for localhost
and it is also dangerous or impossible to use certificates from Certificate Authorities for localhost
or 127.0.0.1
. Even using self-signed certificates are equally not recommended as they cause trust errors in the browser.
mkcert is a simple tool for making locally-trusted development certificates and it requires no configuration. It works for any hostname or IP, including localhost.
Mkcert provides their solution by issueing certificates that are signed by your own private CA. This will automatically create and installs a local CA in the system root store and generates locally-trusted certificates. So, when your browser loads a certificate generated by your instance of mkcert, it will show up with a green lock!
The downside to this approach is that the modification of the trust anchors normally requires root privileges. The actual trust bit is basically removed.
mkcert undoes this boundary by opening a “shortcut” where any code on the machine can mint trusted certificates for any domain (such as internet banking). On the other hand Let’s Encrypt’s ACME protocol has already removed much of the boundary because it issues their certificates without any verification, other than for users having access to the domain involved in the SSL issuance request.