Mkcert - Create SSL Certificates for Local Development on Linux

In this article, I'll explain how to install mkcert, a zero-config tool on our latest Ubuntu system. Mkcert is a simple tool which can be used in making locally trusted certificates. It doesn't require any configuration. It is always dangerous or impossible to use certificates from real Certificate Authorities for localhost or Even using self-signed certificates are equally not recommended as they cause trust errors.

Mkcert provides us with the best solution to this by managing its own CA. This will automatically create and installs a local CA in the system root store and generates locally-trusted certificates. Let's see the steps to install mkcert.


  • A well-configured server with Go 1.10+ and root privileges.
  • The Certificate Database tool (Certutil)

Installing Golang

Go is a general purpose system programming language with which we can build a wide variety of applications. Go language and its toolkits are available in our default repository. We can install Go language in Ubuntu 18.04 by just running this command.

#apt install golang
# go version
go version go1.10.1 linux/amd64

Now we can create a file "/etc/profile.d/" for setting up Go environment variable server-wide as below:

# cat /etc/profile.d/
export GOROOT=/usr/lib/go
export GOPATH=$HOME/go
export PATH=$PATH:$GOROOT/bin:$GOPATH/bin

# source /etc/profile.d/

Installing the Certutil

The Certificate Database tool or Certutil is a simple command-line utility that can create/modify certificate and their key databases. It can be specifically used to list, generate, modify, or delete certificates. It can be even used to create or change the password, generate new public/private key pairs. Furthermore, it displays the contents of the key database or deletes key pairs within the key database. In our Ubuntu server, we can install it by running this command below:

#apt install libnss3-tools

Installing Mkcert

Depending on our OS platform and requirement we need to download the source file for Mkcert tool here.

# cd mkcert-1.0.0/

Now we can copy this mkcert binary from installation folder to /usr/bin/ folder to use it server-wide.

#cd mkcert-1.0.0/bin/
#cp mkcert /usr/bin/

Finally, we can generate our local CA to generate our certificates with this command:

# mkcert -install
Created a new local CA at "/root/.local/share/mkcert" 💥
The local CA is now installed in the system trust store! ⚡️

Out root CA will be created and saved under the path /root/.local/share/mkcert. Usually, the CA certificate and its key are stored in an application data folder in the user home. The location can be also obtained by using the command mkcert -CAROOT.

# mkcert -CAROOT

Now we can use this tool to generate locally trusted development certificates as required:

# mkcert '*' localhost ::1
Using the local CA at "/root/.local/share/mkcert" ✨

Created a new certificate valid for the following names 📜
- ""
- "*"
- ""
- "localhost"
- ""
- "::1"

The certificate is at "./" and the key at "./" ✅

As reported in this command execution, the generated locally trusted certificates are saved in the path from where we run this command. In my case, my certificates are created at /root itself. I just moved those files to /etc/ssl folder as below:

#cp /root/ /etc/ssl/certs/
#cp /root/ /etc/ssl/private/

Enabling the certificates on Apache2

Our next step is to install our web server and enable SSL to use this locally trusted development certificates. I installed Apache2 and enabled SSL to make use of this.

#apt install apache2
#systemctl enable apache2
#systemctl start apache2

Secondly, edit the default SSL file located at /etc/apache2/sites-available/default-ssl.conf with our locally generated SSL certificate and key details as below:

SSLCertificateFile /etc/ssl/certs/
SSLCertificateKeyFile /etc/ssl/private/

Now you can enable SSL module and restart the Apache2 service to make these changes effective.

# a2enmod ssl
# a2ensite default-ssl.conf
Enabling site default-ssl.
To activate the new configuration, you need to run:
systemctl reload apache2
#systemctl reload apache2
#systemctl restart apache2

Finally, we can try browsing https://localhost to confirm it's working.


Read Also:

Howdy! we're ready with our locally trusted certificates. Mkcert is meant for development purposes alone not recommended for production, so it should not be used on end users' machines, and you should never export or share rootCA-key.pem for security reasons. I hope this article is informative and useful to you! Please post your valuable comments and suggestions on this.

Saheetha Shameer 12:05 am

About Saheetha Shameer

I'm working as a Senior System Administrator. I'm a quick learner and have a slight inclination towards following the current and emerging trends in the industry. My hobbies include hearing music, playing strategy computer games, reading and gardening. I also have a high passion for experimenting with various culinary delights :-)

Author Archive Page

Have anything to say?

Your email address will not be published. Required fields are marked *

All comments are subject to moderation.

1 Comment

  1. Thanks Saheetha for this article. I just read it and I think it's very useful for the reasons that you explained.

    It is always annoying when the browser ask us to trust the site certificate.

    I want to ask you if the certificates created using this method are valid when we access the local web server from the internet via a port forwarding in the router.