How to Create Locally Trusted SSL Certificates with mkcert on Ubuntu 18.04

0
12359

Hello folks, welcome to this very tutorial on how to create locally-trusted development SSL certificates on Ubuntu 18.04 using the mkcert utility.

mkcert is a simple zero-config tool that is used to make locally trusted development certificates. It automatically creates and installs a local CA in the system root store, and generates locally-trusted certificates.

Using certificates from real certificate authorities (CAs) for development can be dangerous or impossible (for hosts like localhost or 127.0.0.1), but self-signed certificates cause trust errors. Managing your own CA is the best solution, but usually involves arcane commands, specialized knowledge and manual steps, but not any more with the availability of mkcert utility.

Without much theory, let us have a look how mkcert can help you on this.

Installing mkcert

Install Certutil

As a prerequisite, you are required to install certutil, a command-line utility that can create and modify certificate and key databases before you can install mkcert utility.

# apt install libnss3-tools -y

Install mkcert

Once the installation of certutil is done, download the mkcert binary from Github and install it as shown below

# wget https://github.com/FiloSottile/mkcert/releases/download/v1.1.2/mkcert-v1.1.2-linux-amd64
# mv mkcert-v1.1.2-linux-amd64 mkcert
# chmod +x mkcert
# cp mkcert /usr/local/bin/

Generate Local CA

Now that the mkcert utility is installed, run the command below to generate your local CA.

$ mkcert -install
Created a new local CA at "/home/amos/.local/share/mkcert" ?
The local CA is now installed in the system trust store! ⚡️
The local CA is now installed in the Firefox and/or Chrome/Chromium trust store (requires browser restart)! ?

As shown in the output, the root CA is stored under /home/amos/.local/share/mkcert. You can as well find the root CA path by running the command below.

$ mkcert -CAROOT
/home/amos/.local/share/mkcert

Generate Local SSL Certificates

Now that you have your local CA, run the command below to generate local SSL certificates.

$ sudo mkcert example.com '*.example.com' localhost 127.0.0.1 ::1
Using the local CA at "/home/amos/.local/share/mkcert" ✨

Created a new certificate valid for the following names ?
 - "example.com"
 - "*.example.com"
 - "localhost"
 - "127.0.0.1"
 - "::1"

The certificate is at "./example.com+4.pem" and the key at "./example.com+4-key.pem" ✅

Enable the Certificates for the Apache Web Server

The certificates are now installed and it is time to enable your webserver to use them.

To configure Apache to use these certificates, edit the default ssl configuration file, /etc/apache2/sites-available/default-ssl.conf and change the SSL certificate and key file to point to the locally generated cert and key file above. See the example below.

# vim /etc/apache2/sites-available/default-ssl.conf
...
SSLCertificateFile /home/amos/example.com+4.pem
SSLCertificateKeyFile /home/amos/example.com+4-key.pem
...

Enable Apache to use SSL by loading the ssl modules;

# a2enmod ssl
# a2ensite default-ssl.conf

Reload and restart Apache to activate the new configuration

# systemctl reload apache2
# systemctl restart apache

Navigate to the browser and try to access your domain.

Enable the Certificates for Nginx Web Server

Create your web page configuration as shown below.

# vim /etc/nginx/sites-available/example.com
server {
listen 80;
listen 443 ssl;

ssl on;
ssl_certificate /home/amos/example.com+4.pem; 
ssl_certificate_key /home/amos/example.com+4-key.pem;

server_name example.com;
location / {
root /var/www/html/example;
index index.html;
}
}

Verify that the configuration has no error.

# nginx -t
nginx: the configuration file /etc/nginx/nginx.conf syntax is ok
nginx: configuration file /etc/nginx/nginx.conf test is successful

Restart Nginx

# systemctl restart nginx

Navigate to the browser and test your ssl for your domain.

Well, seems upto that far everything is fine. You have successfully created your locally trusted SSL certificates. Happy development!!

LEAVE A REPLY

Please enter your comment!
Please enter your name here