Configuring self-signed SSL certificates for local development

Sometimes it’s preferible to keep your local development environment as close to production as possible.

In this post I’ll cover how to configure self-signed SSL certificates using a project called mkcert which makes creating, installing and removing self-signed certificates easier than ever.

The instructions are slightly different depending on your local environment:

• Common
• WSL2
• Firefox on Windows

Common

The first thing you will need is to install mkcert which can be done via homebrew or homebrew for Linux.

$ brew install mkcert

If you intend to use Firefox, you should also install nss.

$ brew install nss

Next run mkcert and pass in the the domain names and IPs you want the certificate to include:

$ mkcert mywebsite.test localhost 127.0.0.1 ::1

Created a new certificate valid for the following names 📜
 - "mywebsite.test"
 - "localhost"
 - "127.0.0.1"
 - "::1"

The certificate is at "./mywebsite.test+3.pem" and the key at "./mywebsite.test+3-key.pem" ✅

It will expire on 7 September 2023

mkcert also accepts wildcards but some browsers (Firefox) will not accept those certificates.

After the certificates are generated we can install the local CA by running mkcert with the install flag. This only needs to be done once as this CA will be used to sign all future certificates generated with mkcert.

$ mkcert -install

If this is you first time installing certificates using mkcert you should see the following output:

The local CA is now installed in the system trust store! ⚡️
# or...
The local CA is already installed in the system trust store! 👍

At this point your can use your generated certificates with your development server.

Flask

$ flask run --cert=mywebsite.test+3.pem --key=mywebsite.test+3-key.pem

Rails

$ rails s -b 'ssl://127.0.0.1:3000?key=mywebsite.test+3-key.pem&cert=mywebsite.test+3.pem'

WSL2

If you’re running the WSL2 then there are few extra steps in order to get the Windows 10 host to accept the validity of the certificates.

First we want to install mkcert on Windows which we can do using chocolatey.

Open a Powershell terminal using the administrator user and run:

$ choco install mkcert

Then run mkcert with the install flag like we did before:

# first set the CAROOT path to point to the root CA we generated on WSL2
# you can get this directory by running mkcert -CAROOT from a WSL2 terminal
# if we don't do this it will install a different root CA and we will get warnings
$CAROOT="\\wsl$\Ubuntu\home\ashley\.local\share\mkcert\"
$ mkcert -install
The local CA is now installed in the system trust store! ⚡️
Note: Firefox support is not available on your platform. ℹ️

You should see a popup like the one below. Click “Yes” to install the CA on the Windows 10 host.

Firefox on Windows

After that’s installed let’s fix Firefox so it doesn’t complain that our certs are invalid.

To do that open the Firefox browser and navigate to the settings and search for certificates:

Click on “View Certificates”

Next click on “Import”. We want to locate the root CA from our Linux instance. Mine was located here but yours will be different depending on your WSL2 linux distro:

\\wsl$\Ubuntu\home\ashley\.local\share\mkcert\rootCA.pem

Once installed you will see your local CA in the list of Authorities:

Now if we visit our local development server in Firefox on our Windows host we should see the page load without any warnings.

Firefox

Edge

Chrome