Create locally trusted TLS certs

Here I’ll walk you through what is, in my opinion at least, the strainless way to upgrade your local development HTTP server to HTTPS.

We are going to use mkcert. Why? Well, mkcert surpasses a series of roadblocks, that would fall on your hands if you decided to create a stand-alone certificate with openssl - the most annoying of them, by far, would be trust errors on all your browsers and tools like curl, wget, etc.

How does that happen? mkcert will create a local CA, and configure your root system’s store with it, moreover, it’ll configure your chrome and firefox stores if you have them installed. You can then issue certs from your local CA, for whatever domains you’d like.

Install

# You can find the install procedures on the Github repo
# I did the following on my Ubuntu 20.04

>> sudo apt install libnss3-tools
>> curl https://github.com/FiloSottile/mkcert/releases/download/v1.4.3/mkcert-v1.4.3-linux-amd64 -o /usr/local/bin/mkcert
>> sudo chmod +x /usr/local/bin/mkcert

Create the Certificate Authority

>> mkcert -install
Created a new local CA 💥
The local CA is now installed in the system trust store! ⚡️
The local CA is now installed in the Firefox trust store (requires browser restart)! 🦊

Generate certificates for your fake domain

>> mkcert demo.com localhost 127.0.0.1
Created a new certificate valid for the following names 📜
 - "demo.com"
 - "localhost"
 - "127.0.0.1"

The certificate is at "./demo.com+2.pem" and the key at "./demo.com+2-key.pem" ✅

It will expire on 5 June 2024 🗓

Serve them along with your API

Showcasing it using an uvicorn worker.

Optionally: you can add the rule 127.0.0.1 demo-com on your /etc/hosts file; serve the server on port 443 (most likely you’ll need to run your server as root for that to happen).

uvicorn app:app --port 443 --ssl-keyfile=./demo.com+2-key.pem --ssl-certfile=./demo.com+2.pem

By now, all the annoying certificate validation errors, that you’re used to while editing code on your local workstation, are gone.

>> curl -v https://demo.com
*   Trying 127.0.0.1:443...
(...)
* Server certificate:
*  subject: O=mkcert development certificate; OU=diogo@diogo-ThinkPad
*  start date: Mar  5 15:58:45 2022 GMT
*  expire date: Jun  5 14:58:45 2024 GMT
*  subjectAltName: host "demo.com" matched cert's "demo.com"
*  issuer: O=mkcert development CA; OU=diogo@diogo-ThinkPad; CN=mkcert diogo@diogo-ThinkPad
*  SSL certificate verify ok.
> GET / HTTP/1.1
> Host: demo.com
(...)
< HTTP/1.1 200 OK
< date: Sat, 05 Mar 2022 17:21:40 GMT
< server: uvicorn
< content-length: 25
< content-type: application/json
(...)

🦝

· https, SSL, TLS