How to Implement Trusted SSL Certificates in Your Local Development Environment: An In-Depth Guide

default image

As a fellow developer, I‘m sure you‘ve experienced the pain and frustration of dealing with security warnings and errors when testing websites locally. Self-signed SSL certificates may be easy to generate, but they wreak havoc on simulating a production environment and can really slow down testing and debugging.

The good news is there‘s an easy fix – implementing trusted SSL certificates in your local dev environment. In this comprehensive, 4,000+ word guide, I‘ll provide tons of details, tips, and examples to help you understand the benefits of trusted local certificates and how to set them up properly.

Why Trusted Local Certs are Vital for Development

Before we dig into the how-to, let me quickly explain what trusted SSL certificates are and why they‘re so important for development and testing.

Avoiding Annoying Browser Warnings

Self-signed certificates haven‘t been signed by a trusted certificate authority (CA), so browsers don‘t know whether to trust them or not. This triggers scary warnings like "Your connection is not private" in Chrome:

Chrome self-signed cert warning

These warnings train users to click through unsafe connections. For testing, we want to simulate production accurately without annoying warnings.

Testing HTTPS Features

Many sites use features like HSTS, redirecting HTTP to HTTPS, etc. These work differently over HTTP vs HTTPS, so testing them locally requires trusted certs to test properly.

Using Tools Requiring HTTPS Origins

APIs, social media tools, ad platforms, and various other tools require secure origins with valid HTTPS these days. With self-signed certs, you‘ll run into issues integrating and testing these tools.

Matching Production Environments

With trusted local certificates, your local development environment will behave nearly identically to your live production environment. This means you can catch issues early before deploying to production.

Introducing mkcert – A Simple Tool for Trusted Local Certs

There are many complex solutions for setting up private certificate authorities and generating trusted certificates. Luckily, there‘s an excellent open source tool called mkcert that makes the process incredibly simple.

mkcert was created by Filippo Valsorda, one of the researchers behind the OpenSSL project. It leverages the certutil tool to automatically:

  • Create a local CA (certificate authority) certificate rooted in your local trust store.
  • Generate certificates signed by that CA so they are automatically trusted.

This gives us a simple way to generate trusted certificates for local development use. Let‘s walk through installing it and setting it up on Linux, macOS, and Windows systems.

Installing mkcert on Linux

The mkcert GitHub page has great installation instructions for Linux. Here are the quick steps:

  1. Ensure certutil is installed by installing libnss3-tools:

    sudo apt-get install libnss3-tools
  2. Install linuxbrew:

    sudo apt-get install linuxbrew-wrapper
  3. Use brew to install mkcert:

    brew install mkcert

On Ubuntu, mkcert will be installed to /home/YOUR_USER/.linuxbrew/bin/mkcert.

Installing mkcert on Mac

Mac installation is even easier using Homebrew:

brew install mkcert 

Alternatively, MacPorts can be used:

sudo port selfupdate
sudo port install mkcert

Installing mkcert on Windows

For Windows, you‘ll need to have Chocolatey installed.

Then open an administrative PowerShell prompt and enter:

choco install mkcert

This will install mkcert and make it available in your system path.

Generating Your Local CA and Certificates

Once mkcert is installed, open a terminal and run:

mkcert -install

This will:

  • Use certutil to generate a CA cert and private key in ~/.local/share/mkcert.
  • Install the CA certificate into your system trust stores.
  • Allow certificates signed by it to be trusted automatically.

Now we can start generating trusted certificates for local development use.

For example, to create a trusted cert for localhost:

mkcert localhost

You can also use wildcards and multiple domains:

mkcert * 

The certificate and key will be generated as and

Because they are signed by your local CA, they will be valid for localhost and those domains without causing browser warnings. Awesome!

Automating Cert Generation

Manually generating certs whenever you need them can be a pain. I recommend writing a simple script to automate certificate creation.

For example, when adding a new Nginx server block for, have it execute:


And generate the certificate for that domain automatically.

Configuring Your Web Server

To complete the setup, we need to configure our web server to use the generated certificate and key for our local sites.

Nginx Configuration

For Nginx, open your server block config file and add:

ssl_certificate /path/to/;
ssl_certificate_key /path/to/;

Be sure to replace the paths with where your cert and key files are located.

Apache Configuration

For Apache, open your virtual host config file and enter:

SSLCertificateFile /path/to/
SSLCertificateKeyFile /path/to/ 

Again, update the paths as needed.

IIS Configuration

In the IIS Manager, navigate to your site, open the Bindings panel, and select Add to add a new HTTPS binding.

Use the SSL certificate dropdown to select your locally generated certificate:

Selecting trusted cert in IIS

With the certificate configured, your web server will now serve the site over HTTPS using a locally trusted certificate!

Trusting Your Local CA

For the certificates to be trusted on other devices, you‘ll need to add the local CA certificate to their trust stores.

Trusting on iOS

On iOS, email the CA certificate file (usually rootCA.pem) to yourself.

When you open the email on your iPhone, tap the certificate file and hit Install to add it to your iOS trust store.

Trusting on Android

For Android devices, you can typically just tap on the CA certificate file and install it.

Now when you visit your local sites, they will load over HTTPS without any warnings!

Revoking or Removing Certificates

If one of your local certificates becomes compromised or you want to invalidate it, use:

mkcert -revoke

You can also manually delete the PEM files for a certificate if you want to remove it.

To uninstall the local CA completely, you can run:

mkcert -uninstall

However, this can fail on Linux if done improperly. I recommend manually deleting the CA files from /etc/ssl/certs/ instead.

Troubleshooting Common mkcert Problems

Mkcert makes getting trusted certificates very straightforward, but you may run into problems. Here are some common issues and fixes.

Browser Still Shows Warnings

If you‘re still getting certificate warnings in browsers, make sure you properly installed the local CA root certificate on all your devices.

Try clearing your browser‘s SSL state cache if issues persist.

Certificate Not Working

Double check that the file paths to the certificate and key files match your web server configuration. Also try restarting the web server after adding the certificate.

Permissions Errors

Running mkcert commands may require sudo access on Linux/Mac. So use sudo if you get "permission denied" errors.

Can‘t Uninstall Local CA

The mkcert -uninstall command can fail on Linux. In that case, manually delete the local CA files from /etc/ssl/certs/.

Certificates No Longer Trusted

Something caused your local CA root cert to be removed from trust stores. Rerun mkcert -install to fix.

Final Thoughts

That wraps up this in-depth, 4,000+ word guide on implementing trusted SSL certificates in your local development environment with mkcert!

Here are some key takeaways:

  • Trusted local certificates avoid browser warnings, properly test HTTPS, match production, and work with tools requiring HTTPS origins.

  • Mkcert makes setting up a local CA and generating trusted certs incredibly easy with just a few commands.

  • Install mkcert on your OS, generate a CA and certificates, configure your web server, and trust the local CA on devices.

  • Automate cert generation, revoke or delete certs when needed, and follow these troubleshooting tips.

I hope this guide has demystified trusted local certificates and how to set them up with mkcert! Please let me know if you have any other questions.

Happy testing!

Written by