What is mkcert

For anything in production, you’ll be purchasing your SSL certificates from a certificate authority
But for Development you need not to purchase a certificate, mkcert will install a local CA and you can get certs signed from it

Using mkcert

Ubuntu Linux

1. Create Local CA and sign Server cert using Local CA

// install the local CA
$ mkcert -install

// Generate pvt key (key.pem)
// cert file (cert.pem)
$ mkcert -key-file key.pem -cert-file cert.pem 127.0.0.1 localhost

// Check cert detials
$ openssl x509 -noout -text -in cert.pem
Issuer: O = mkcert development CA, OU = root@Amit, CN = mkcert root@Ami
Subject: O = mkcert development certificate, OU = root@Amit
    

2. Run server and connect https client

curl command

$ cargo run

# curl -vk --http1.1 https://127.0.0.1:8443
*   Trying 127.0.0.1:8443...
* Connected to 127.0.0.1 (127.0.0.1) port 8443
* ALPN: curl offers http/1.1
* TLSv1.3 (OUT), TLS handshake, Client hello (1):
* TLSv1.3 (IN), TLS handshake, Server hello (2):
* TLSv1.2 (IN), TLS handshake, Certificate (11):
* TLSv1.2 (IN), TLS handshake, Server key exchange (12):
* TLSv1.2 (IN), TLS handshake, Server finished (14):
* TLSv1.2 (OUT), TLS handshake, Client key exchange (16):
* TLSv1.2 (OUT), TLS change cipher, Change cipher spec (1):
* TLSv1.2 (OUT), TLS handshake, Finished (20):
* TLSv1.2 (IN), TLS handshake, Finished (20):
* SSL connection using TLSv1.2 / ECDHE-RSA-CHACHA20-POLY1305 / X25519 / RSASSA-PSS
* ALPN: server accepted http/1.1
* Server certificate:
*  subject: O=mkcert development certificate; OU=root@Amit
*  start date: Jan 25 16:28:10 2025 GMT
*  expire date: Apr 25 16:28:10 2027 GMT
*  issuer: O=mkcert development CA; OU=root@Amit; CN=mkcert root@Amit
*  SSL certificate verify result: unable to get local issuer certificate (20), continuing anyway.
*   Certificate level 0: Public key type RSA (2048/112 Bits/secBits), signed using sha256WithRSAEncryption
* using HTTP/1.x
> GET / HTTP/1.1
> Host: 127.0.0.1:8443
> User-Agent: curl/8.5.0
> Accept: */*
>
< HTTP/1.1 200 OK
< content-length: 23
< content-type: text/plain
< date: Sat, 25 Jan 2025 16:29:29 GMT
* Connection #0 to host 127.0.0.1 left intact
    

Windows

We install mkcert on windows using choclaty

// Install Chocolatey on Windows
Poweshell(Run as Administrator)
$ Set-ExecutionPolicy Bypass -Scope Process -Force
$ [System.Net.ServicePointManager]::SecurityProtocol = [System.Net.ServicePointManager]::SecurityProtocol -bor 3072; iex ((New-Object System.Net.WebClient).DownloadString('https://community.chocolatey.org/install.ps1'))
$ choco --version

// Install mkcert via Chocolatey
$ choco install mkcert -y
Deployed to 'C:\ProgramData\chocolatey\lib\mkcert
    

Create Local Root CA & server cert,key signed by local Root CA

Poweshell(Run as Administrator)
PS C:\Windows\system32> mkcert.exe -install
The local CA is already installed in the system trust store! 👍
Note: Firefox support is not available on your platform. ℹ️
The local CA is now installed in Java's trust store! ☕️

$ mkcert -key-file key.pem -cert-file cert.pem 127.0.0.1 localhost 0.0.0.0
$ cargo run

// Access from browser
https://127.0.0.1:9132