You should probably use the official, and up-to-date installation guide, but at one point in time these commands worked for installing the CLI tool.
Install a Root Certificate Authority
The first step to using this tool is to create a Root Certificate Authority, and have it become trusted by the system you're currently running:
Parts of a Root Certificate
Now let's use openssl to inspect the certificate that was made:
Here's the certificate from one of my runs on my mac host:
We know that we're using v3 of the specification.
This Serial Number is guaranteed to be a unique positive integer, and cannot be longer than 20 octets.
This tells us that SHA-256 is going to be used as the hashing algorithm, and RSA will be used as the algorithm for encrypting data.
Here we see that
Issuer has some attributes set, of course none of them make a lot of sense. Because, your name/laptop
isn't exactly an Organizational Unit, but it's good enough.
The Validity of the certificate is the first line of defense for determining if we should trust the certificate. If the current time is outside the bounds of the certificate, it should no longer be trusted.
Here we see that this certificate is good for 10 years.
Again, none of this makes sense, but none of it matters.
Subject Public Key Info
The RSA key, as the specification implies, is literally just 2 numbers, the
randomly generated, and in this case happens to be 3072 bits long, but in other cases might be shorter or longer. And
Exponent is typically always set to 65537.
Why is the
Exponent always set to 65537? Because compromises had to be made. Here's
the Crypto StackExchange discussion.
Finally some juicy bits. We'll see that this certificate is configured to be a Certificate Authority.
pathlen of 0 means this certificate cannot be used to create additional Certificate Authorities.
Take note of the
Subject Key Identifier:
3C:30:C0 because we'll see this be referenced in our
End-entity certificate in a few minutes.
Parts of a End-entity Certificate
Let's now create an End-entity Certificate that we'll use in an Nginx server.
mkcert will create certificates in your current working directory. If you'd like you can
mv into the examples/mkcert-nginx
directory so that you can take advantage of the existing Nginx configuration file.
Let's take a look at the certificate:
Should produce something like this:
Make note of this, we'll see it soon from our browser.
Issuer of the Root certificate.
This lets us use the certificate as a webserver.
We can't use this certificate as a Certificate Authority.
Authority Key Identifier
We see that this matches the
Subject Key Identifier of the Root certificate.
Subject Alternative Name
This tells us what domain names and IP addresses the server can present this certificate as. Meaning if the server serves requests with this certificate from anywhere other than:
and the client is validating certificate server names, then the client should disconnect from the server.
Start an Nginx Container
From within the examples/mkcert-nginx folder you can find an existing Nginx configuration file.
From within that directory you can start an Nginx container like this:
And then open a browser to https://localhost:4448
You should then be able to inspect the certificate and see something like this:
Where you can see that this certificate is trusted because
mkcert installs the Root CA
is installed as a trusted certificate in your system.
Similarly, you can see that this server certificate is in use when you compare the