This article is more than 1 year old

Great, you've moved your website or app to HTTPS. How do you test it? Here's a tool to make local TLS certs painless

Breathe easier knowing you've tested your software properly

A Google cryptoboffin is close to releasing a tool that will hopefully make all of us more secure online.

Now that most web traffic travels over HTTPS and browser features increasingly expect security, developers really should be creating and testing apps in an HTTPS environment.

Doing so requires installing a TLS/SSL certificate locally, but the process isn't as easy as it might be. With a bit of effort, devs can generate their own certificate, self-signed or signed by the local root, and install it. Various online tutorials offers ways to do so. There are also projects like minica that aim to ease the pain.

But it could be easier still, along the lines of Let's Encrypt, a tool that lets websites handle HTTPS traffic through automated certificate issuance and installation.

On Monday, Filippo Valsorda, a cryptographer who works at Google, said he's almost done with his open source project called mkcert, which allows devs to create local certificates without fuss.

That's desirable, says Valsorda, because testing web apps via insecure HTTP can obscure mixed content issues that might break an HTTPS site in production.

Bored cat on computer, photo via Shutterstock

Warning: Malware, rogue users can spy on some apps' HTTPS crypto – by whipping them with a CAT o' nine TLS


"mkcert is a simple by design tool that hides all the arcane knowledge required to generate valid TLS certificates," said Valsorda in a blog post. "It works for any hostname or IP, including localhost, because it only works for you."

Rather than creating a self-signed certificate, mkcert generates certificates signed by the user's private Certificate Authority (CA), a more involved process that's generally better than self-signing if you want to generate multiple certs tied to the CA.

The result is a cert that some browsers still represent with a green padlock icon, though Chrome last year changed how it displays web security.

mkcert works with Linux (Arch, CentOS, Debian, Fedora, RHEL, and Ubuntu), macOS, and Windows, as well as Firefox (macOS and Linux), Chrome and Chromium, and Java. With a few extra steps, it also works with Android and iOS. ®

More about


Send us news

Other stories you might like