mkcert: A simple program to create X.509 certificates

Getting started

Download and unpack the latest binary release for your platform:
- Linux: mkcert-x86_64-unknown-linux-musl.tar.gz
- Windows: mkcert-x86_64-pc-windows-msvc.zip
Open a terminal and run the program.

$ ./mkcert --help      # Linux
$ .\mkcert.exe --help  # Windows

Features

Creating new certificates

It is not necessary to copy and move around private keys. Create them directly on the target host.

Copy the program to the host where you need the new certificate.
Create a template file: Click here for some examples.
Choose a strong (long and random) passphrase.

$ mkcert -f examples/request.yaml
New certificate: csr.example.com
Enter new passphrase:
Verifying - Enter new passphrase:

$ ls csr*
csr.example.com.csr  csr.example.com.key

Private keys

Each new certificate gets a new private key. The private key is encrypted based on the passphrase you specify. You can use/decrypt the key with the same passphrase.

Details:

Encryption algorithm: AES 256-bit CBC
Key derivation function: PBKDF2

Creating PKCS #12 files

A PKCS #12 (.p12) file is a container which bundles a private key and one or more certificates into a single file.

To create a .p12 file:

Put the certificate and the private key together in the same directory.
The file name of the certificate must match the name of the key.
Use the -b, --bundle option followed by the path to the key file.

$ ls
crt.example.com.crt
crt.example.com.key

$ mkcert -b crt.example.com.key  # <- path to key file
Bundle: crt.example.com
Enter passphrase:

$ ls
crt.example.com.crt
crt.example.com.key
crt.example.com.p12

Importing PKCS #12 files into the Windows certificate store

On Windows, use the certificate store if the application which needs the certificate supports it. The store is more secure and you don’t need the .p12 file.

To import a .p12 file:

Double-click the .p12 file to import the private key and the certificate into the Windows certificate store.
Delete the .p12 file after a successful import.

Changelog

All notable changes will be documented here.

The format is based on Keep a Changelog, and this project adheres to Semantic Versioning.

[0.2.2] - 2024-07-18

Added

More helpful error messages when something goes wrong.

[0.2.1] - 2023-10-22

Changed

Set the common name as default subject alternative name (SAN). Some browsers require a SAN to validate the certificate.

Added

Helpful error message when the program crashes.

Fixed

Build dependencies for OpenSSL.

[0.2.0] - 2023-10-17

Changed

The OpenSSL library is now built-in to make the program more portable.

Added

Support for creating PKCS #12 files.

[0.1.0] - 2023-10-14

Initial release.

Contributing

The best way to get started is to build and run a local dev container.

You can use Podman or any other OCI compliant container manager. The dev container has all the required dependencies for working with the project.

$ container/build.sh
$ container/run.sh

From inside the container, you can then run some workflows.

$ cargo fmt && cargo clippy --all-targets  # run code formatter and linter
$ cargo test   # run tests
$ cargo doc    # build the docs
$ cargo run    # run the binary crate
$ cargo clean  # remove build artifacts

Useful resources

https://github.com/andreaslongo/learn-rust

License

GNU General Public License v3.0 or later

andreaslongo / mkcert Goto Github PK

mkcert's Introduction

mkcert: A simple program to create X.509 certificates

Getting started

Features

Creating new certificates

Private keys

Creating PKCS #12 files

Importing PKCS #12 files into the Windows certificate store

Changelog

[0.2.2] - 2024-07-18

Added

[0.2.1] - 2023-10-22

Changed

Added

Fixed

[0.2.0] - 2023-10-17

Changed

Added

[0.1.0] - 2023-10-14

Contributing

Useful resources

License

mkcert's People

Contributors

Watchers

Recommend Projects

Recommend Topics

Recommend Org