Hello folks, welcome to this very tutorial on how to create locally-trusted development SSL certificates on Ubuntu 18.04 using the mkcert utility.
mkcert is a simple zero-config tool that is used to make locally trusted development certificates. It automatically creates and installs a local CA in the system root store, and generates locally-trusted certificates.
Using certificates from real certificate authorities (CAs) for development can be dangerous or impossible (for hosts like localhost
or 127.0.0.1
), but self-signed certificates cause trust errors. Managing your own CA is the best solution, but usually involves arcane commands, specialized knowledge and manual steps, but not any more with the availability of mkcert utility.
Without much theory, let us have a look how mkcert can help you on this.
Installing mkcert
Install Certutil
As a prerequisite, you are required to install certutil, a command-line utility that can create and modify certificate and key databases before you can install mkcert utility.
# apt install libnss3-tools -y
Install mkcert
Once the installation of certutil is done, download the mkcert binary from Github and install it as shown below
# wget https://github.com/FiloSottile/mkcert/releases/download/v1.1.2/mkcert-v1.1.2-linux-amd64 # mv mkcert-v1.1.2-linux-amd64 mkcert # chmod +x mkcert # cp mkcert /usr/local/bin/
Generate Local CA
Now that the mkcert utility is installed, run the command below to generate your local CA.
$ mkcert -install Created a new local CA at "/home/amos/.local/share/mkcert" ? The local CA is now installed in the system trust store! ⚡️ The local CA is now installed in the Firefox and/or Chrome/Chromium trust store (requires browser restart)! ?
As shown in the output, the root CA is stored under /home/amos/.local/share/mkcert. You can as well find the root CA path by running the command below.
$ mkcert -CAROOT /home/amos/.local/share/mkcert
Generate Local SSL Certificates
Now that you have your local CA, run the command below to generate local SSL certificates.
$ sudo mkcert example.com '*.example.com' localhost 127.0.0.1 ::1 Using the local CA at "/home/amos/.local/share/mkcert" ✨ Created a new certificate valid for the following names ? - "example.com" - "*.example.com" - "localhost" - "127.0.0.1" - "::1" The certificate is at "./example.com+4.pem" and the key at "./example.com+4-key.pem" ✅
Enable the Certificates for the Apache Web Server
The certificates are now installed and it is time to enable your webserver to use them.
To configure Apache to use these certificates, edit the default ssl configuration file, /etc/apache2/sites-available/default-ssl.conf and change the SSL certificate and key file to point to the locally generated cert and key file above. See the example below.
# vim /etc/apache2/sites-available/default-ssl.conf ... SSLCertificateFile /home/amos/example.com+4.pem SSLCertificateKeyFile /home/amos/example.com+4-key.pem ...
Enable Apache to use SSL by loading the ssl modules;
# a2enmod ssl # a2ensite default-ssl.conf
Reload and restart Apache to activate the new configuration
# systemctl reload apache2 # systemctl restart apache
Navigate to the browser and try to access your domain.
Enable the Certificates for Nginx Web Server
Create your web page configuration as shown below.
# vim /etc/nginx/sites-available/example.com
server { listen 80; listen 443 ssl; ssl on; ssl_certificate /home/amos/example.com+4.pem; ssl_certificate_key /home/amos/example.com+4-key.pem; server_name example.com; location / { root /var/www/html/example; index index.html; } }
Verify that the configuration has no error.
# nginx -t nginx: the configuration file /etc/nginx/nginx.conf syntax is ok nginx: configuration file /etc/nginx/nginx.conf test is successful
Restart Nginx
# systemctl restart nginx
Navigate to the browser and test your ssl for your domain.
Well, seems upto that far everything is fine. You have successfully created your locally trusted SSL certificates. Happy development!!