{"id":8948,"date":"2021-05-31T23:16:59","date_gmt":"2021-05-31T20:16:59","guid":{"rendered":"https:\/\/kifarunix.com\/?p=8948"},"modified":"2024-03-18T22:17:52","modified_gmt":"2024-03-18T19:17:52","slug":"create-locally-trusted-ssl-certificates-with-mkcert-on-ubuntu-20-04","status":"publish","type":"post","link":"https:\/\/kifarunix.com\/create-locally-trusted-ssl-certificates-with-mkcert-on-ubuntu-20-04\/","title":{"rendered":"Create Locally Trusted SSL Certificates with mkcert on Ubuntu 20.04"},"content":{"rendered":"\n

In this tutorial, you will learn how to create locally trusted SSL certificates<\/span> with mkcert on Ubuntu 20.04. mkcert<\/a><\/strong> is a simple zero-config tool that is used to make locally trusted development certificates. It <\/span>automatically creates and installs a local CA in the system root store, and generates locally-trusted certificates.<\/p>\n\n\n\n

Using certificates from real certificate authorities (CAs) for development can be dangerous or impossible (for hosts like localhost<\/code> or 127.0.0.1<\/code>), but self-signed certificates cause trust errors. Managing your own CA is the best solution, but usually involves arcane commands, specialized knowledge and manual steps, but not any more with the availability of mkcert utility.<\/p>\n\n\n\n

Using mkcert to Create Locally Trusted SSL Certificates<\/h2>\n\n\n\n

Install Certutil on Ubuntu 20.04<\/h3>\n\n\n\n

As a prerequisite, you are required to install certutil<\/strong>, a command-line utility that can create and modify certificate and key databases before you can install mkcert utility.<\/span><\/p>\n\n\n\n

sudo apt install libnss3-tools -y<\/code><\/pre>\n\n\n\n
Installing mkcert on Ubuntu 20.04<\/h3>\n\n\n\n
Once the installation of certutil is done, download the current version of mkcert pre-built binary from Github releases page<\/a>.<\/p>\n\n\n\n
As of this writing, the current version of mkcert is v1.4.3<\/p>\n\n\n\n
So download the current version and install it as shown below<\/p>\n\n\n\n
wget https:\/\/github.com\/FiloSottile\/mkcert\/releases\/download\/v1.4.3\/mkcert-v1.4.3-linux-amd64<\/code><\/pre>\n\n\n\n
sudo cp mkcert-v1.4.3-linux-amd64 \/usr\/local\/bin\/mkcert<\/code><\/pre>\n\n\n\n
sudo chmod +x \/usr\/local\/bin\/mkcert<\/code><\/pre>\n\n\n\n
Generate Local CA on Ubuntu 20.04<\/h3>\n\n\n\n
Now that the mkcert utility is installed, run the command below to generate and install your local CA on Ubuntu 20.04.<\/p>\n\n\n\n
mkcert -install<\/code><\/pre>\n\n\n\n
Sample command output;<\/p>\n\n\n\n
The local CA is now installed in the system trust store! \u26a1\ufe0f\nThe local CA is now installed in the Firefox and\/or Chrome\/Chromium trust store (requires browser restart)! \ud83e\udd8a<\/code><\/pre>\n\n\n\n
The command creates a root CA and is stored under ~\/.local\/share\/mkcert<\/strong>.<\/p>\n\n\n\n
You can find the root CA path by running the command below.<\/p>\n\n\n\n
mkcert -CAROOT<\/code><\/pre>\n\n\n\n
\/home\/koromicha\/.local\/share\/mkcert<\/code><\/pre>\n\n\n\n
Listing the directory contents;<\/p>\n\n\n\n
ls -1 ~\/.local\/share\/mkcert<\/code><\/pre>\n\n\n\n
rootCA-key.pem\nrootCA.pem<\/code><\/pre>\n\n\n\n
Create Locally Trusted SSL Certificates with mkcert<\/h3>\n\n\n\n
Now that you have your local CA, run the command below to generate local SSL certificates using mkcert command.<\/p>\n\n\n\n
mkcert kifarunix-demo.com '*.kifarunix-demo.com' localhost 127.0.0.1 ::1<\/code><\/pre>\n\n\n\n
Sample command output;<\/code><\/pre>\n\n\n\n
Created a new certificate valid for the following names \ud83d\udcdc\n - \"kifarunix-demo.com\"\n - \"*.kifarunix-demo.com\"\n - \"localhost\"\n - \"127.0.0.1\"\n - \"::1\"\n\nReminder: X.509 wildcards only go one level deep, so this won't match a.b.kifarunix-demo.com \u2139\ufe0f\n\nThe certificate is at \".\/kifarunix-demo.com+4.pem\" and the key at \".\/kifarunix-demo.com+4-key.pem\" \u2705\n\nIt will expire on 31 August 2023 \ud83d\uddd3<\/code><\/pre>\n\n\n\n
You have the certificate and key in the current working directory;<\/p>\n\n\n\n
ls -1 .\/kifarunix-demo.com+*<\/code><\/pre>\n\n\n\n
 .\/kifarunix-demo.com+4-key.pem\n .\/kifarunix-demo.com+4.pem<\/code><\/pre>\n\n\n\n
Enable Web Server HTTPS using the Certificates<\/h3>\n\n\n\n
The certificates are now installed and it is time to enable your webserver to use them for HTTPS connections.<\/p>\n\n\n\n
To configure Apache to use these certificates, edit the default ssl configuration file, \/etc\/apache2\/sites-available\/default-ssl.conf<\/strong> and change the SSL certificate and key file to point to the locally generated cert and key file above.<\/p>\n\n\n\n
See the example below. Note the certificates are in my home directory. <\/p>\n\n\n\n
Be sure to replace the paths accordingly.<\/strong><\/p>\n\n\n\n
sudo sed -i 's#\/etc\/ssl\/certs\/ssl-cert-snakeoil.pem#\/home\/koromicha\/kifarunix-demo.com+4.pem#; s#\/etc\/ssl\/private\/ssl-cert-snakeoil.key#\/home\/koromicha\/kifarunix-demo.com+4-key.pem#' \/etc\/apache2\/sites-available\/default-ssl.conf<\/code><\/pre>\n\n\n\n
To verify this;<\/p>\n\n\n\n
grep -E \"SSLCertificateFile|SSLCertificateKeyFile\" \/etc\/apache2\/sites-available\/default-ssl.conf<\/code><\/pre>\n\n\n\n
\t\t#   SSLCertificateFile directive is needed.\n\t\tSSLCertificateFile\t\/home\/koromicha\/kifarunix-demo.com+4.pem\n\t\tSSLCertificateKeyFile \/home\/koromicha\/kifarunix-demo.com+4-key.pem\n\t\t#   the referenced file can be the same as SSLCertificateFile<\/code><\/pre>\n\n\n\n
Enable Apache to use SSL by loading the ssl modules;<\/p>\n\n\n\n
sudo a2enmod ssl<\/code><\/pre>\n\n\n\n
sudo a2ensite default-ssl.conf<\/code><\/pre>\n\n\n\n
Reload and restart Apache to activate the new configuration<\/p>\n\n\n\n
sudo systemctl restart apache2<\/code><\/pre>\n\n\n\n
Verify Local SSL Certs generated with mkcert<\/h3>\n\n\n\n
Navigate to the browser and try to access your domain.<\/p>\n\n\n\n
I am using local hosts file for my DNS entries.<\/p>\n\n\n\n
\"Create<\/figure>\n\n\n\n
Enable the Certificates for Nginx Web Server<\/h3>\n\n\n\n
Create your web page configuration as shown below.<\/p>\n\n\n\n
Replace the paths to the ceritificate and key accordingly<\/strong><\/p>\n\n\n\n
vim \/etc\/nginx\/sites-available\/example.com<\/code><\/pre>\n\n\n\n
server {\nlisten 80;\nlisten 443 ssl;\n\nssl on;\nssl_certificate \/home\/koromicha\/kifarunix-demo.com+4.pem<\/strong>; \nssl_certificate_key \/home\/koromicha\/kifarunix-demo.com+4-key.pem<\/strong>;\n\nserver_name example.com;\nlocation \/ {\nroot \/var\/www\/html\/example;\nindex index.html;\n}\n}<\/code><\/pre>\n\n\n\n
Verify that the configuration has no error.<\/p>\n\n\n\n
nginx -t<\/pre>\n\n\n\n
nginx: the configuration file \/etc\/nginx\/nginx.conf syntax is ok\nnginx: configuration file \/etc\/nginx\/nginx.conf test is successful<\/code><\/pre>\n\n\n\n
Restart Nginx<\/p>\n\n\n\n
systemctl restart nginx<\/code><\/pre>\n\n\n\n
Navigate to the browser and test your ssl for your domain.<\/p>\n\n\n\n
\"\"<\/figure>\n\n\n\n
Well, seems up-to that far everything is fine.<\/p>\n\n\n\n
And that concludes our guide on how to use mkcert to create locally trusted SSL certificates.<\/p>\n\n\n\n
More mkcert<\/strong><\/code> usage information.<\/p>\n\n\n\n
mkcert --help<\/code><\/pre>\n\n\n\n
Other Tutorials<\/h3>\n\n\n\n
Configure Nginx with SSL\/TLS certificates on CentOS 8<\/a><\/p>\n\n\n\n
Monitor SSL\/TLS Certificate Expiry with Prometheus and Grafana<\/a><\/p>\n\n\n\n
Configure Apache with SSL\/TLS Certificates on CentOS 8<\/a><\/p>\n\n\n\n
Easy way to configure Filebeat-Logstash SSL\/TLS Connection<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"
In this tutorial, you will learn how to create locally trusted SSL certificates with mkcert on Ubuntu 20.04. mkcert is a simple zero-config tool that is<\/p>\n","protected":false},"author":1,"featured_media":8955,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"rank_math_lock_modified_date":false,"footnotes":""},"categories":[34,121,1187],"tags":[3600,3604,3602,167,3605,3606,3601,943,3603],"class_list":["post-8948","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-security","category-howtos","category-ssl-tls","tag-create-ssl-with-mkcert","tag-install-mkcert","tag-local-ssl-with-mkcert","tag-mkcert","tag-mkcert-ca","tag-mkcert-ssl","tag-mkcert-ubuntu","tag-ssl-tls","tag-trusted-ssl-with-mkcert","generate-columns","tablet-grid-50","mobile-grid-100","grid-parent","grid-50","resize-featured-image"],"_links":{"self":[{"href":"https:\/\/kifarunix.com\/wp-json\/wp\/v2\/posts\/8948"}],"collection":[{"href":"https:\/\/kifarunix.com\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/kifarunix.com\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/kifarunix.com\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/kifarunix.com\/wp-json\/wp\/v2\/comments?post=8948"}],"version-history":[{"count":7,"href":"https:\/\/kifarunix.com\/wp-json\/wp\/v2\/posts\/8948\/revisions"}],"predecessor-version":[{"id":21804,"href":"https:\/\/kifarunix.com\/wp-json\/wp\/v2\/posts\/8948\/revisions\/21804"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/kifarunix.com\/wp-json\/wp\/v2\/media\/8955"}],"wp:attachment":[{"href":"https:\/\/kifarunix.com\/wp-json\/wp\/v2\/media?parent=8948"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/kifarunix.com\/wp-json\/wp\/v2\/categories?post=8948"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/kifarunix.com\/wp-json\/wp\/v2\/tags?post=8948"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}