When it comes to TLS certificates, there are a few tools such as mkcert
to generate them but I like to proceed with caution.
The safest way would be to use openssl
directly, but this is a low-level tool with many options that requires specific knowledge to use it properly.
The second best choice is to use the tool recommended by some authority in this area like let's encrypt so let's see what they suggest:
If you want a little more realism in your development certificates, you can use minica to generate your own local root certificate, and issue end-entity (aka leaf) certificates signed by it.
So I'm going to use minica here.
The tool itself is very easy to use, but first we need to build it from source (and probably take a look at the source code first). It's written in go, so we'll use golang container image:
# ./certs is the dir where we'll store certificates
podman run --rm -it -v $(pwd)/certs:/certs golang
# from the container; get the source code:
go get github.com/jsha/minica
git clone https://github.com/jsha/minica.git
# build binary file
cd minica && go build
# generate the certificates
minica --domains 'localhost,app.test,*.app.test' \
--ip-addresses 127.0.0.1
# move the certificates to the mounted directory
mv minica.pem localhost/* /certs/
exit
The certificates should be in ./certs
directory on the host.
Now we can add minica.pem
to the browser we use for development. For Chrome-based browsers it's:
Settings -> Security -> Manage certificates -> Authorities
and use cert.pem
and key.pem
to authenticate the development server.
When we exited the golang container we destroyed it along with every file it contained, especially minica.key
. This means that we won't be able to generate more certificates signed by this CA but if the file would fall into wrong hands it might be used against us for nefarious things like spoofing.
This allows us to have our dev server running on https
(which means it closely resembles production environment) without decreasing the overall safety of our development machine.
Top comments (1)
Thanks, very useful article.
Apparently 'go get' has been deprecated for use in module mode, I had to use
'go install github.com/jsha/minica@latest' to make it work.