When it comes to TLS certificates, there are a few tools such as
mkcert to generate them but I like to proceed with caution.
The safest way would be to use
openssl directly, but this is a low-level tool with many options that requires specific knowledge to use it properly.
The second best choice is to use the tool recommended by some authority in this area like let's encrypt so let's see what they suggest:
If you want a little more realism in your development certificates, you can use minica to generate your own local root certificate, and issue end-entity (aka leaf) certificates signed by it.
So I'm going to use minica here.
The tool itself is very easy to use, but first we need to build it from source (and probably take a look at the source code first). It's written in go, so we'll use golang container image:
# ./certs is the dir where we'll store certificates podman run --rm -it -v $(pwd)/certs:/certs golang # from the container; get the source code: go get github.com/jsha/minica git clone https://github.com/jsha/minica.git # build binary file cd minica && go build # generate the certificates minica --domains 'localhost,app.test,*.app.test' \ --ip-addresses 127.0.0.1 # move the certificates to the mounted directory mv minica.pem localhost/* /certs/ exit
The certificates should be in
./certs directory on the host.
Now we can add
minica.pem to the browser we use for development. For Chrome-based browsers it's:
Settings -> Security -> Manage certificates -> Authorities
key.pem to authenticate the development server.
When we exited the golang container we destroyed it along with every file it contained, especially
minica.key. This means that we won't be able to generate more certificates signed by this CA but if the file would fall into wrong hands it might be used against us for nefarious things like spoofing.
This allows us to have our dev server running on
https (which means it closely resembles production environment) without decreasing the overall safety of our development machine.
Oldest comments (1)
Thanks, very useful article.
Apparently 'go get' has been deprecated for use in module mode, I had to use
'go install github.com/jsha/minica@latest' to make it work.